In collaboration with Microsoft MVP Joel Oleson, based on a recent webinar that we jointly delivered.
It was difficult enough to keep Active Directory group memberships secure and accurate before Microsoft Azure Active Directory/Microsoft 365 which throws new group types and group settings into the mix. Today’s hybrid environments more than double the potential for errors and security issues related to group management. Because the number of groups has more than doubled, the administrative burden is now higher than ever.
While the task of creating a group or putting a user into a group is not difficult, keeping up with the volume of group changes (on-premises and in cloud), and the fact that it’s not done automatically is quite challenging for many of the IT professionals I’ve spoken with over the years.
Organizations that are unable to keep groups accurate may find themselves facing catastrophic consequences related to security and compliance. Beyond the obvious cost of a breach, service outage or a regulatory fine, there is also cost in terms of lost productivity or lost reputation that can be equally damaging.
Groups give directory accounts power because they assign permissions in the Microsoft model. Due to this, you must be incredibly careful about who is in a group and who, ultimately, has access to the resources on which your business runs.
How Groups Become Compromised
It’s no wonder that group management can become a security threat. Groups can have incredible power, but at the same time, some groups are so innocuous that adding people (and/or not keeping up with the daily changes) seems insignificant. For example, you most likely don’t care much about how many people get access to a company newsletter. But for other content, perhaps something that is compliance sensitive, it’s a completely different story.
To make matters worse, in many organizations, there are more groups than IT has resources to keep up. We find in our customer environments, it’s common to see more groups than users, and each user might end up being a member of 50 or more different groups.
In addition to all of that, consider the following points:
Accuracy is hard to maintain. Especially if you have high turnover or a heavy amount of organizational changes and shifts. Maintaining group accuracy in organizations with such frequent moves is difficult due to the volume of changes. For example, was guest access granted but never revoked? Unfortunately, if your groups are inaccurate, then your access grants are inaccurate.
Group membership is more often granted than revoked. With no way to easily track why a user was added to a group, later when it comes time to clean-up group membership members are left in the group for fear of revoking the wrong person’s access. Over time the number of group memberships increases for users putting security and compliance goals further at risk.
Group cleanup is often ignored until something breaks. It’s human nature to let maintenance items slip. Group management is no different, and I’ve talked to many IT people over the years who only realized that they had an out-of-date group when someone called to say they cannot get access they expected. The story is worse if the “realization event” is a security breach or compliance failure.
Keys to Success
There are numerous approaches to streamline group management, making it easier to keep your groups accurate and ensure that they’re always up to date. And this can be done without creating a straining workload for your IT administration team.
Define a Hybrid Management Group Strategy
If you rewind even a few years ago, this advice may have been to “try and stay on-premises unless something forces you to the cloud” and that advice today seems much less useful than it once did. Today, most organization run hybrid environments, and it’s critical for IT teams to have a strategy for on-prem security groups and Microsoft 365 groups with a least privilege/zero trust model.
It’s also important to understand the native tools available to them, like Azure AD Connect and others, to define a strategy and philosophy that can be followed for managing users and groups.
Plan Self Service or IT Led Group Management with Oversight
You can – and you should – delegate group management where possible. That said, it’s critical that you delegate tasks to users carefully and use caution regarding what control you do (and do not) give, especially in a hybrid environment.
Consider the example of a Help Desk, which is likely going to see all groups because of the flatness of the directory structure (ie, they don’t have organizational units). Do you really want your help desk to be able to access any Microsoft 365 groups?
Provision Groups with Governance and Lifecycle in Mind
Doing so, of course, means that somebody must make sure that each group has a person that’s responsible for it. There are different ways to do this.
- Assign AD owners to Groups directly in Active Directory using the Active Directory Users and Computers console. A Group owner can be a user or a group with several members.
- Use Exchange on-premises console to assign owners and secondary owners.
- Use Exchange online to assign owners to cloud-based groups.
- For other groups (unified groups) in Office 365 online you can also assign ownership.
Regardless of how you assign group owners, it’s important to audit the group changes. Make sure you have a good approach to audit changes to your groups, including adds, removes, etc on the Windows side. Whether you use the Windows event log or you have a change auditing solution, please make sure you’re watching, auditing and reporting those events so you can go back and see who added whom to which groups.
Another simple strategy here is to use meaningful descriptions on group objects that clearly indicate what the group does in order to make it easier to assign ownership. Without it, you may have no good way to get a true sense of everything a group may grant access to.
Use Group Lifecycle Management
Periodically audit groups and review ownership and usages to help ensure that group owners regularly review group membership. There are different approaches you can take, but one simple tactic is to do it by email or survey. Send each group owner a list of the groups they own and ask questions that make sense for your organization. It could be as simple as “Do you still need this group?”
If you have any security concern around memberships of any of your groups or distribution lists, or any of the groups you own are subject to legal or regulatory compliance, then you may also want to ask group owners to certify the membership. Doing this helps reinforce that the owner is responsible for the membership and responsible for compliance burden. You don’t want IT to be responsible for who has access to unannounced financial results for the next quarter.
Clean up: Archive or Delete Obsolete Groups
It takes some effort, but it’s important to clean up groups as you go. If you find a bunch of empty groups and you don’t need them, you can get rid of them in a safe manner, without requiring a complicated recovery scenario to recover the deleted group’s security ID.
Active Directory has two physical types of groups: regular security groups, which most people are familiar with, and non-exchange DLs, which are simple lists that cannot be used to grant access to resources.
Properly managing and maintaining groups in a secure, efficient way can be difficult without the right tools. Cayosoft Dynamic Groups keeps groups accurate and eliminates errors. Granular membership rules for groups automatically update memberships when changes occur, allowing administrators to concentrate on more important issues.
To deep dive on group management, check out our on-demand webinar with Microsoft MVP Joel Oleson.