question

LeoJohnson-5897 avatar image
0 Votes"
LeoJohnson-5897 asked SimonBurbery-9608 answered

Conditional Access for All Users versus a specific user group

Hi y'all,

At the moment, we are in a very heated discussion with our Managed Service Provider.

They are setting up Conditional Access for us, but they are using a user group in Azure AD.

So we asked: Why not on All Users, and working with exclusions?

Our MSP told us working with groups instead of the All Users groups bring more flexibility.

But in our opinion working with a separate user group brings more administration and more risk of forgetting enforcing Conditional Access.

Could someone end this discussion and give us some advice?

windows-10-securityazure-ad-conditional-accessmem-intune-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @LeoJohnson-5897 · Thank you for reaching out.

There is no right or wrong approach here. However, if feasible, when adding users to a policy or some sort of Access control lists, the suggestion is to always go with groups rather than adding individual users. That way help desk can be leveraged to control the access without needing to grant them admin privileges to manage Conditional Access Policies or requiring engagement of admin to update the policies.

Also, the conditional access policies won't be required to update each time a user account gets created or required to be added to the policy. Adding a user to the group (in scope of the policy) will apply the CA Policy to the user.

Microsoft provides what-if tool in the azure portal, So, figuring out which policy will apply to a given user or application and what conditions will apply is not a challenge.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @LeoJohnson-5897 · Just checking if above response helped or if you have any further questions.

0 Votes 0 ·
CiciWu2-MSFT avatar image
0 Votes"
CiciWu2-MSFT answered

I think it depends on your requirements. Let's say that as the administrator, you decide to use Azure AD Conditional Access to require multi-factor authentication (MFA) and limit authentication requests to specific networks or devices. During deployment planning, you realize that not all users can meet these requirements. For example, you may have users who work from remote offices, not part of your internal network. You may also have to accommodate users connecting using unsupported devices while waiting for those devices to be replaced. In short, the business needs these users to sign in and do their job so you exclude them from Conditional Access policies.

You can refer the following article to see the exclusive scenarios: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Reza-Ameri avatar image
0 Votes"
Reza-Ameri answered

It depends on your requirement and in general it is good idea to enable it for all users but sometimes you might come into complex scenario and difficulty in managing them and one approach would be enable them for specific group or you may setup a group and add users from other groups into it and test it out and when you are confidence you could manage it for all users, then deploy it for all users. You may enable them group by group and observe the behavior.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SimonBurbery-9608 avatar image
0 Votes"
SimonBurbery-9608 answered

I agree with you 100%... use a group for enabling MFA during rollout, but always plan to remove the group at the end and set to All Users. It's there as a 'catch all' which is extremely important for MFA.

Also let's say you use a 'printer' or 'teams-room' account to scan-to-email from an office, restrict them so they can only log in from their location:
1. Add the office external IP as a Named Location.
2. Exclude the printer account (or group of accounts) from the MFA policy.
3. Create a new policy targeted at the account (or group), set to 'Block' then exclude the office 'Named Location'.

Dynamic groups could also be used to automate membership - for example a group containing 'Members' that are 'Active' could be used as a policy target, reducing the chances of an administration error.

One reason I prefer adding accounts rather than groups to CA policy exclusions is that you can review who is excluded while in the policy properties without having to go to Azure AD to check the group membership. It also protects from helpdesk admin error of incorrectly adding an account to the exclusion group.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.