How to Set Up Microsoft 365 | Step 1: Security Groups
As IT providers, we have a lot of precise configurations to keep track of when setting up a client’s Microsoft 365 suite. It is super easy to miss a step along the way, but incredibly hard to retrace your steps and find where you went wrong.
The best way to mitigate and remediate errors is to have a well documented set of baselines to follow when setting up Microsoft. With standard operating procedures easily accessible, technicians have a step-by-step guide for setup as well as a way to document their process.
Here at 917 Solutions, we have created one of the most in-depth runbooks containing all of the baseline configurations for Microsoft 365.
We call this our “Golden Tenant”. This guide walks you through the Microsoft setup process from start to finish, with both explanations as well as templates to fill out as documenting your progress. For the first installment of this series, we dive into security groups. To help push things along, we will start by frontloading configurations that are necessary to elements later in the guide.
Pre-Requisites
Have a way to document your process
For intricate installs like a new Intune, Entra, and Defender suite, it is easy to get lost in the process. It is crucial to have a means of documenting your work; that way you don’t lose your place and can work collaboratively.
We have a template designed for this exact purpose.
You can either fill it out while simultaneously working within Microsoft, or fill out the spreadsheet after configuration as a way to check your work.
Naming Convention Format
The naming convention format that we follow is:
ℹ️ Tool – Device Application – Group Type – Description devices or users
EX: MDE-Win_Static-Test Users translates to Microsoft Defender for Endpoint security group for Windows devices specifically for manually assigned Test Users.
Feel free to rip and replace with your own naming convention or the security group title, whichever is easier.
Dynamic Security Groups vs Assigned Security Groups
Our guide includes a combination of both Dynamic Device and Dynamic User security groups along with your standard manually Assigned Security groups.
Using Dynamic security groups, you can automate the assignment of Devices and Users using a dynamic query, where if the conditions are matched, the user or device are automatically assigned. This is the real magic with security groups in Microsoft 365. Dynamic queries handle user and device assignments for you, automating what would otherwise be tedious manual work.
NOTE: Never assign a dynamic query to maintain privileged roles, like Global Administrator or Subscription Owners. For those, use PIM (Privileged Identity Management) to control escalations safely.
We typically use assigned security groups for manually maintaining a user or device group for testing or just onesy-twosy management.
For the purpose of this guide, we will create all of the security groups that you will need upfront to save you time from having to switch back and forth within the guide.
Create Intune Groups for Users and Devices
The following security groups are to be used for assigning Users or Devices to various Configuration Profiles and Compliance Policies within Intune. Any groups that require manual assignment typically fall within the category of test or pilot devices.
To get started, navigate to entra.microsoft.com > in Entra ID > click on Groups.
Devices Enrolled via Autopilot
Group Type: Security
Group Name: 917-Intune-Win_Autopilot devices
Microsoft Roles: No
Membership Type: Dynamic Device
Owners: No member selected
Members: Will automatically populate based on Dynamic Query
Dynamic Query:
(device.devicePhysicalIDs -any (_ -contains "[ZTDID]"))
Devices Enrolled as Company Owned
Group Type: Security
Group Name: 917-Intune-Win_Company devices
Microsoft Roles: No
Membership Type: Dynamic Device
Owners: No member selected
Members: Will automatically populate based on Dynamic Query
Dynamic Query:
(device.deviceOwnership -eq "Company") and (device.deviceOSType -eq "Windows")
Devices Enrolled as Entra ID Joined
Group Type: Security
Group Name: 917-Intune-Win_Entra ID Joined devices
Microsoft Roles: No
Membership Type: Dynamic Device
Owners: No member selected
Members: Will automatically populate based on Dynamic Query
Dynamic Query:
(device.deviceOSType -eq "Windows") and (device.deviceTrustType -eq "AzureAD")
Devices Enrolled as Hybrid Entra ID Joined
Group Type: Security
Group Name: 917-Intune-Win_Hybrid Entra ID Joined devices
Microsoft Roles: No
Membership Type: Dynamic Device
Owners: No member selected
Members: Will automatically populate based on Dynamic Query
Dynamic Query:
(device.deviceOSType -eq "Windows") and (device.deviceTrustType -eq "ServerAD")
Devices Enrolled as BYOD Personal
Group Type: Security
Group Name: 917-Intune-Win_BYOD devices
Microsoft Roles: No
Membership Type: Dynamic Device
Owners: No member selected
Members: Will automatically populate based on Dynamic Query
Dynamic Query:
(device.deviceTrustType -eq "Personal") and (device.deviceOSType -eq "Windows")
Corporate Test Devices
Group Type: Security
Group Name: 917-Intune-Win_Test devices
Microsoft Roles: No
Membership Type: Assigned
Owners: No member selected
Members: Any corporate owned devices that are used for testing
Corporate Pilot Devices
Group Type: Security
Group Name: 917-Intune-Win_Pilot devices
Microsoft Roles: No
Membership Type: Assigned
Owners: No member selected
Members: Any corporate owned devices that are used for piloting
Microsoft Defender for Endpoint Windows Enrolled Devices
Group Type: Security
Group Name: 917-MDE-Win_Enrolled Devices
Microsoft Roles: No
Membership Type: Dynamic Device
Owners: No member selected
Members: —
Dynamic Query:
(device.managementType -eq "MicrosoftSense") and (device.deviceOSType -eq "Windows Server")
Microsoft Defender for Endpoint Windows Servers
Group Type: Security
Group Name: 917-MDE-Win_Windows Servers
Microsoft Roles: No
Membership Type: Dynamic Devices
Owners: No member selected
Members: —
Corporate Test Users
Group Type: Security
Group Name: 917-Intune-Users_Test Users
Microsoft Roles: No
Membership Type: Assigned
Owners: No member selected
Members: Any corporate employees that are testing Intune
Corporate Pilot Users
Group Type: Security
Group Name: 917-Intune-Users_Pilot Users
Microsoft Roles: No
Membership Type: Assigned
Owners: No member selected
Members: Any corporate employees that are piloting Intune
Microsoft Defender for Endpoint Test Users
Group Type: Security
Group Name: 917-MDE_Test Users
Microsoft Roles: No
Membership Type: Assigned
Owners: No member selected
Members: Any corporate employees that are testing the impact of policies applied by Microsoft Defender for Endpoint
Create User Groups for Easier Management in Entra ID
The following user groups should be created within Entra ID. The user groups will help with building and deploying conditional access policies or assigning Enterprise App registrations within the tenant limited and scope to only the applicable users.
All Active Users
Group Type: Security
Group Name: 917-Users_All Active Users
Microsoft Roles: No
Membership Type: Dynamic User
Owners: No member selected
Members: Will automatically populate based on Dynamic Query
Dynamic Query:
(user.userType -eq "Member") and (user.accountEnabled -eq True)
All Active Guests
Group Type: Security
Group Name: 917-Guests_All Active Guests
Microsoft Roles: No
Membership Type: Dynamic User
Owners: No member selected
Members: Will automatically populate based on Dynamic Query
Dynamic Query:
(user.userType -eq "Guest")
All Service Accounts
Group Type: Security
Group Name: 917-Service-Accounts
Microsoft Roles: No
Membership Type: Assigned
Owners: No member selected
Members: A group that identifies all the service accounts in use within the organization
(user.jobTitle -eq "Service Account")
Enforce MFA User Group
Group Type: Security
Group Name: 917-MFA_Required-Users
Microsoft Roles: No
Membership Type: Assigned
Owners: No member selected
Members: Any users that should have MFA enforced
If you are migrating from Per-User MFA to Conditional Access Policy MFA, this policy will help facilitate that migration.
Exclude from MFA Group
Group Type: Security
Group Name: 917-MFA_Excluded-Accounts
Microsoft Roles: No
Membership Type: Assigned
Owners: No member selected
Members: Any Service Account that needs to be excluded from MFA
Any service accounts that are excluded from MFA should have a STRONG password and access restricted to a trusted IP range
Exclude from Foreign Country Block
Group Type: Security
Group Name: 917-Foreign-Country_Excluded-Accounts
Microsoft Roles: No
Membership Type: Assigned
Owners: No member selected
Members: Any users that need to be excluded temporarily from the Foreign Country Block as they will be travelling to a foreign country
*Exclude from Conditional Access
Group Type: Security
Group Name: 917-CA_Excluded-Accounts
Microsoft Roles: No
Membership Type: Assigned
Owners: No member selected
Members: Any users that need to be excluded from global conditional access policies.
*Break Glass Administrators
Group Type: Security
Group Name: 917-WSHTF groups
Microsoft Roles: No
Membership Type: Assigned
Owners: No member selected
Members: Any Break Glass Administrators within the tenant.
Managed Service Users
Group Type: Security
Group Name: 917-Managed Service Users
Microsoft Roles: No
Membership Type: Assigned
Owners: No member selected
Members: Any users which 917 is providing Managed / Co-Managed Users
And there you have it! Performing this step at the start of your Microsoft setup might seem premature but frontloading these groups provided an easy way to transfer knowledge of how these systems would tie in together at the end of the deployment.
A few of the groups that we create to start facilitate some of the most important pieces of securing Microsoft 365 from scratch and this has been what has worked the easiest for us in our consulting efforts.
