In collaboration with Microsoft MVP Joel Oleson, based on a recent webinar that we jointly delivered. It was difficult enough to keep Active Directory group memberships secure and accurate before Microsoft Azure Active Directory/Microsoft 365 which throws new group types and group settings into the mix. Today’s hybrid environments more than double the potential for errors and security issues related to group management. Because the number of groups has more than doubled, the administrative burden is now higher than ever. While the task of creating a group or putting a user into a group is not difficult, keeping up with the volume of group changes (on-premises and in cloud), and the fact that it’s not done automatically is quite challenging for many of the IT professionals I’ve spoken with over the years.
Potential CostsOrganizations that are unable to keep groups accurate may find themselves facing catastrophic consequences related to security and compliance. Beyond the obvious cost of a breach, service outage or a regulatory fine, there is also cost in terms of lost productivity or lost reputation that can be equally damaging. Groups give directory accounts power because they assign permissions in the Microsoft model. Due to this, you must be incredibly careful about who is in a group and who, ultimately, has access to the resources on which your business runs.
How Groups Become CompromisedIt’s no wonder that group management can become a security threat. Groups can have incredible power, but at the same time, some groups are so innocuous that adding people (and/or not keeping up with the daily changes) seems insignificant. For example, you most likely don’t care much about how many people get access to a company newsletter. But for other content, perhaps something that is compliance sensitive, it’s a completely different story. To make matters worse, in many organizations, there are more groups than IT has resources to keep up. We find in our customer environments, it’s common to see more groups than users, and each user might end up being a member of 50 or more different groups. In addition to all of that, consider the following points: Accuracy is hard to maintain. Especially if you have high turnover or a heavy amount of organizational changes and shifts. Maintaining group accuracy in organizations with such frequent moves is difficult due to the volume of changes. For example, was guest access granted but never revoked? Unfortunately, if your groups are inaccurate, then your access grants are inaccurate. Group membership is more often granted than revoked. With no way to easily track why a user was added to a group, later when it comes time to clean-up group membership members are left in the group for fear of revoking the wrong person’s access. Over time the number of group memberships increases for users putting security and compliance goals further at risk. Group cleanup is often ignored until something breaks. It’s human nature to let maintenance items slip. Group management is no different, and I’ve talked to many IT people over the years who only realized that they had an out-of-date group when someone called to say they cannot get access they expected. The story is worse if the “realization event” is a security breach or compliance failure.
Keys to SuccessThere are numerous approaches to streamline group management, making it easier to keep your groups accurate and ensure that they’re always up to date. And this can be done without creating a straining workload for your IT administration team.
Define a Hybrid Management Group Strategy
Plan Self Service or IT Led Group Management with Oversight
Provision Groups with Governance and Lifecycle in Mind
- Assign AD owners to Groups directly in Active Directory using the Active Directory Users and Computers console. A Group owner can be a user or a group with several members.
- Use Exchange on-premises console to assign owners and secondary owners.
- Use Exchange online to assign owners to cloud-based groups.
- For other groups (unified groups) in Office 365 online you can also assign ownership.
Use Group Lifecycle Management
Clean up: Archive or Delete Obsolete Groups