Overview: I have lost count of the number of poor Active Directory and Azure Active Directories I have seen. I don't think I've ever seen a good Active Directory actually. Certainly nothing large over 5K users.
I'm working with a multinational, and we need to improve the security. Things are a little all over the place, oddly named and inconsistent, basically the normal for an 300k internal user enterprise with history and multiple aquations.
I identify a coupe of properties that will really create a nice hierarchy, issue is I'm using more than the allowed 5k Dynamic AAD Security Groups.
Group Types to be aware of relating to Entra
1. Static AAD Security Groups
Got to add the users manually, or at least automate the process for anything but the smallest of Entra users.
Static AAD Security groups can be nested.
3. Dynamic AAD Security Groups
Up to 5,000 dynamic groups.
You can inherit Security groups or be inherited (no nesting).
3. Distribution AAD Groups
Used for email and calendars, not security.
4. O365 Groups/Teams Groups
They can inherit O365 groups or AAD Security groups. They are managed within the org so not the best idea to place heavy security on manually managed teams.
Resolution:
I have a full hierarchy of users within divisions and subdivisions. By adding users statically via automation to there lowest level AAD Security Group. Then I can add the child groups. This gives me multiple groups that have more and more users in as we go up the hierarchy. Additive groups with positive security gives me the best options.
Future Wishes:
If only Entra supported more dynamic AAD Groups per tenant or allowed Dynamic groups to be nested in static AAD groups
