Creating Conditional Access and applying for a large subset of users is a project by itself. Creating conditional access and populating more and more users into it to increase adoption is perfectly fine. but as we progress new users keep increasing , there comes a stage where you want to make the new users coming into the policy automatically So that you can close out at some stage.
Solutions like Dell Active Roles do it smartly. but Azure AD Dynamic membership rules don’t have all the options we look for.
For example, if the dynamic group can exclude memberof and add all users from a specific OU – it could be much easier to include and exclude at the group level. But it’s not the case yet. Azure AD Dynamic Rules doesn’t support them yet.
So let’s consider my scenario. After adding all 75 % of users into my conditional access policy. Created a dynamic membership rule containing my on-premises users OU distinguishedName with all 100 % of users and keep a exclude group of 25 % of users and put them into the Exclude option of conditional access.
In this case, all my 100 % users and new users applied with a conditional access policy, and at the same time, 25 % of users are excluded from applying as exclusion takes precedence.
As we progress only removing members from the exclusion group can get you the conditional access adoption to 100 %. This one solves most of the conditional access scenarios. Still hoping the member of the dynamic group gets released to cover other scenarios without any third-party products.
Dynamic Groups: Member of group · Community (azure.com)
Preview for other Scenarios
Group membership for Azure AD dynamic groups with memberOf – Azure AD – Microsoft Entra | Microsoft Docs
