Showing posts with label Entra ID. Show all posts
Showing posts with label Entra ID. Show all posts

Tuesday, 20 May 2025

Entra AAD Security Groups - Remember

Overview: I have lost count of the number of poor Active Directory and Azure Active Directories I have seen.  I don't think I've ever seen a good Active Directory actually.  Certainly nothing large over 5K users. 

I'm working with a multinational, and we need to improve the security.  Things are a little all over the place, oddly named and inconsistent, basically the normal for an 300k internal user enterprise with history and multiple aquations.

I identify a coupe of properties that will really create a nice hierarchy, issue is I'm using more than the allowed 5k Dynamic AAD Security Groups.  

Group Types to be aware of relating to Entra

1. Static AAD Security Groups

Got to add the users manually, or at least automate the process for anything but the smallest of Entra users.

Static AAD Security groups can be nested.

3. Dynamic AAD Security Groups

Up to 5,000 dynamic groups.

You can inherit Security groups or be inherited (no nesting).

3. Distribution AAD Groups

Used for email and calendars, not security.

4. O365 Groups/Teams Groups

They can inherit O365 groups or AAD Security groups.  They are managed within the org so not the best idea to place heavy security on manually managed teams. 

Resolution:

I have a full hierarchy of users within divisions and subdivisions.  By adding users statically via automation to there lowest level AAD Security Group.  Then I can add the child groups.  This gives me multiple groups that have more and more users in as we go up the hierarchy.  Additive groups with positive security gives me the best options.  

Future Wishes:

If only Entra supported more dynamic AAD Groups per tenant or allowed Dynamic groups to be nested in static AAD groups



Posted by Paul Beck at 22:59 0 comments
Labels: , ,

Sunday, 2 June 2024

AAD/EntraID with Power Platform and SharePoint Guideance

Overview

Keeping a clean hierarchical Active Directory (AD) is essential to managing permissions and having good governance in the Power Platform. This post outlines the key core concepts of securing your platforms.

Power Platform is managed at three levels:

  1. App (model, canvas or power pages),
  2. Environment (user needs permissions to the tenant environment)
  3. Source (Dataverse, SQL, SharePoint)
AAD/EntraId
Azure Active Directory (AAD) is the backbone of permissions in the Power Platform. Security groups are normally well set up within AD, but when creating a new group, I tend to use "Microsoft 365"groups to handle permissions.

The process is to add users to Groups (Security or Microsoft 365) and then give permissions using the group.  Security groups can be managed dynamically i.e. if you are in a division you automatically belong to a security group. Or Security groups allow for users to be added individually (there is also a bulk upload).

This keeps management simple, as the Microsoft groups and Security groups can be reused to grant various apps and reports permissions.

Tip: You cannot use distribution groups to assign rights to SharePoint or Power Platform.

Posted by Paul Beck at 14:04 0 comments
Labels: , , , , , ,
Subscribe to: Posts (Atom)