A series of baseline definitions for Azure AD groups - GraphAPIConfig

This post continues the coverage of the GraphAPIConfig repo, which contains a set of baseline recommended configurations for the Graph API. This is set up as a template, so you can duplicate this and modify as appropriate. Please always grab the latest versions from GitHub.

There are six Azure AD groups that will be used within the Conditional Access and Endpoint Manager (Intune) pipelines, as nested groups that are included in the inclusion/exclusion groups that will be created for the Conditional Access and Endpoint Manager policies.

The current defined groups are:

The definitions of these groups are available in the GraphAPIConfig template repo in GitHub. By defining these groups, rather than using the inbuilt “All Users” options within Conditional Access, allows for greater customisation of each policy.

These are created with the PowerShell Group and Group relationship functions I wrote that use the Graph API, deployed in an Azure DevOps pipeline.

For each group, a mailNickName is required, when this does not exist, when executed in the pipeline it will be generated.

All Users

This definition is available here: All Users, which you can access from my GitHub.

This has a dynamic query that includes all users (including members and external users) within the Azure AD tenant.

Used to target Azure AD Conditional Access and Endpoint Manager App Protection policies.

Example below:

Expand code block
{
  "description": "Dynamic query that includes all users (including guests and external users) within the directory",
  "displayName": "All Users",
  "groupTypes": [
    "DynamicMembership"
  ],
  "mailEnabled": false,
  "membershipRule": "(user.objectId -ne null)",
  "membershipRuleProcessingState": "On",
  "securityEnabled": true,
}

All Guests

This definition is available here: All Guests, which you can access from my GitHub.

This has a dynamic query that includes all guests (which is all external users excluding members) within the Azure AD tenant.

Used to target Azure AD Conditional Access policies.

Example below:

Expand code block
{
  "description": "Dynamic query that includes all quests (including external users) within the directory",
  "displayName": "All Guests",
  "groupTypes": [
    "DynamicMembership"
  ],
  "mailEnabled": false,
  "membershipRule": "(user.userType -ne \"member\")",
  "membershipRuleProcessingState": "On",
  "securityEnabled": true,
}

All Devices

This definition is available here: All Devices, which you can access from my GitHub.

This has a dynamic query that includes all devices within the Azure AD tenant.

Example below:

Expand code block
{
  "description": "Dynamic query that includes all devices within the directory",
  "displayName": "All Devices",
  "groupTypes": [
    "DynamicMembership"
  ],
  "mailEnabled": false,
  "membershipRule": "(device.deviceId -ne null)",
  "membershipRuleProcessingState": "On",
  "securityEnabled": true,
}

All Windows Devices

This definition is available here: All Windows Devices, which you can access from my GitHub.

This has a dynamic query that includes all Windows devices within the Azure AD tenant.

Used to target Endpoint Manager Device Compliance for Windows policy.

Example below:

Expand code block
{
  "description": "Dynamic query that includes all Windows devices within the directory",
  "displayName": "All Windows Devices",
  "groupTypes": [
    "DynamicMembership"
  ],
  "mailEnabled": false,
  "membershipRule": "(device.deviceId -ne null) and (device.deviceOSType -eq \"Windows\")",
  "membershipRuleProcessingState": "On",
  "securityEnabled": true,
}

SVC-CA; Exclude from all Conditional Access policies

This definition is available here: SVC-CA; Exclude from all Conditional Access policies, which you can access from my GitHub.

This allows accounts to be added, such as break-glass accounts or others that should be excluded from all policies.

Example below:

Expand code block
{
  "description": "Contains the Break Glass accounts and any other account that should all be excluded from Conditional Access",
  "displayName": "SVC-CA; Exclude from all Conditional Access Policies",
  "mailEnabled": false,
  "securityEnabled": true,
}

SVC-EM; Exclude from all Endpoint Manager device policies

This definition is available here: SVC-EM; Exclude from all Endpoint Manager device policies, which you can access from my GitHub.

This allows accounts to be added, such as break-glass accounts or others that should be excluded from all policies.

It’s important to remember that for Endpoint Manager, you cannot mix users and devices in the same group.

Example below:

Expand code block
{
  "description": "Contains the Break Glass accounts and any other account that should all be excluded from Endpoint Manager",
  "displayName": "SVC-EM; Exclude from all Endpoint Manager Device Policies",
  "mailEnabled": false,
  "securityEnabled": true,
}

SVC-EM; Exclude from all Endpoint Manager user policies

This definition is available here: SVC-EM; Exclude from all Endpoint Manager user policies, which you can access from my GitHub.

This allows accounts to be added, such as break-glass accounts or others that should be excluded from all policies.

It’s important to remember that for Endpoint Manager, you cannot mix users and devices in the same group.

Example below:

Expand code block
{
  "description": "Contains the Break Glass accounts and any other account that should all be excluded from Endpoint Manager",
  "displayName": "SVC-EM; Exclude from all Endpoint Manager User Policies",
  "mailEnabled": false,
  "securityEnabled": true,
}