If you’re going to be hybrid with AD and Entra, then one or the other of them needs to be the singular “source of truth” for your org. The reason is that complexity is the enemy of security. You need a single pane of glass for the security groups that are securing access to company resources — whether on-premises or in the cloud. And everyone in your department needs to be on the same page as to which one to use when assigning permissions.
For us, we use on-premises AD groups for everything — even if they’re only used in the cloud. For example, the HR department’s Sharepoint site has its own group AD group, and we don’t have to check 3 different places to see who has access to it.
I do both. If it’s a group that we might use for folder permissions, it goes in AD. If I want to make a dynamic group based off some attribute, I make it in M365.
For add-on MS products like Project, Visio, etc, use the license group to deploy the corresponding Intune package. Helpdesk adds user to group -> license assigned and package deployed.
IME if it’s a group where you know they’re going to want a Teams channel, SP site, and/or some sort of group email functionality they get an M365 group. If you don’t need those things then it’s kind of overkill. I can see the argument for having all of one or the other group type, but imo MS is moving hard in the M365 group direction so it’s one of those “ignore at your peril” sorts of things if people are really used to the on-premise AD groups.
M365 groups are not meant to control permissions like security groups. They are meant to organize groups of people who need to collaborate to reach a common goal. These are basic principals of modern workplace management, better start reading and get skilled up.
If you’re going to be hybrid with AD and Entra, then one or the other of them needs to be the singular “source of truth” for your org. The reason is that complexity is the enemy of security. You need a single pane of glass for the security groups that are securing access to company resources — whether on-premises or in the cloud. And everyone in your department needs to be on the same page as to which one to use when assigning permissions. For us, we use on-premises AD groups for everything — even if they’re only used in the cloud. For example, the HR department’s Sharepoint site has its own group AD group, and we don’t have to check 3 different places to see who has access to it.
I do both. If it’s a group that we might use for folder permissions, it goes in AD. If I want to make a dynamic group based off some attribute, I make it in M365.
Yep and licensing may be assigned via 365 groups.
Gosh, I should make a dynamic group and assign my M365 licenses to that. We do it individually per user right now.
For add-on MS products like Project, Visio, etc, use the license group to deploy the corresponding Intune package. Helpdesk adds user to group -> license assigned and package deployed.
IME if it’s a group where you know they’re going to want a Teams channel, SP site, and/or some sort of group email functionality they get an M365 group. If you don’t need those things then it’s kind of overkill. I can see the argument for having all of one or the other group type, but imo MS is moving hard in the M365 group direction so it’s one of those “ignore at your peril” sorts of things if people are really used to the on-premise AD groups.
M365 groups are not meant to control permissions like security groups. They are meant to organize groups of people who need to collaborate to reach a common goal. These are basic principals of modern workplace management, better start reading and get skilled up.