Showing posts with label Entra ID. Show all posts
Showing posts with label Entra ID. Show all posts

Tuesday, 20 May 2025

Entra AAD Security Groups - Remember

Overview: I have lost count of the number of poor Active Directory and Azure Active Directory environments I have encountered.  I don't think I've ever seen a good Active Directory, actually.  Certainly nothing significant over 5K 15k users. 

I'm working with a multinational, and we need to enhance our security measures.  Things are a bit all over the place, with oddly named and inconsistent elements, which is basically the norm for a 300k internal user enterprise with a history of multiple acquisitions.

I've identified a couple of properties that will create a nice hierarchy, but the issue is that I'm using more than the allowed 5k Dynamic AAD Security Groups.  

Summary of Entra, Microsoft 365 groups, and Distribution Lists work

Group Types to be aware of relating to Entra

1. Static AAD Security Groups

  • Need to add users manually or automate the process for anything but the smallest Entra users.
  • Static AAD Security groups can be nested.

2. Dynamic AAD Security Groups

  • Up to 5,000 dynamic groups. Updated Oct 2025: 15,000 
  • You can inherit Security groups or be inherited (no nesting).

3. Distribution AAD Groups

  • Used for email and calendars, not security.  
  • Only use distribution lists if the user does not have a P1 Entra licence.  
  • Simpler and better to email-enable Static Security Groups.

4. O365 Groups/Teams Groups called Microsoft 365 Group

  • A Microsoft 365 Group can inherit from O365 groups or AAD Security groups.  
  • They are managed within the org, so it's not the best idea to place heavy security on manually managed teams. 

Resolution:

I have a whole hierarchy of users within divisions and subdivisions, and I add users statically via automation to their lowest-level AAD Security Group.  Then I can add the child groups.  This gives me multiple groups that have an increasing number of users as we go up the hierarchy.  Additive groups with positive security provide the best options for me.  Stop using Distribution lists and make the AAD Security Groups email-enabled.

Alternative option on Email:

Create an O365/Teams group, then add the Security groups to the team, and this will now be email-enabled.  This is more for a collaboration-type approach or if you want to use dynamic groups.

Future Wishes:

If only Entra supported more dynamic AAD Groups per tenant or allowed Dynamic groups to be nested in static AAD groups.

Posted by Paul Beck at 22:59 0 comments
Labels: , , , ,

Sunday, 2 June 2024

AAD/EntraID with Power Platform and SharePoint Guideance

Overview

Keeping a clean hierarchical Active Directory (AD) is essential to managing permissions and having good governance in the Power Platform. This post outlines the key core concepts of securing your platforms.

Power Platform is managed at three levels:

  1. App (model, canvas or power pages),
  2. Environment (user needs permissions to the tenant environment)
  3. Source (Dataverse, SQL, SharePoint)
AAD/EntraId
Azure Active Directory (AAD) is the backbone of permissions in the Power Platform. Security groups are normally well set up within AD, but when creating a new group, I tend to use "Microsoft 365"groups to handle permissions.

The process is to add users to Groups (Security or Microsoft 365) and then give permissions using the group.  Security groups can be managed dynamically i.e. if you are in a division you automatically belong to a security group. Or Security groups allow for users to be added individually (there is also a bulk upload).

This keeps management simple, as the Microsoft groups and Security groups can be reused to grant various apps and reports permissions.

Tip: You cannot use distribution groups to assign rights to SharePoint or Power Platform.

Posted by Paul Beck at 14:04 0 comments
Labels: , , , , , ,
Subscribe to: Comments (Atom)