The baseline policy is a great feature that works well for new tenants, but in order to manage tenants that already have policies in place, you currently need to delete the existing policies in order to apply the baselines from NMM. It would be great to be able to assign the baseline policies to existing tenants and for it to detect what policies are already in place and either determine if there is a drift between the existing policy and the policy being pushed from NMM, or to simply have the option to overwrite the policies already in the tenant so the policies for existing tenants can now be managed from NMM as well.
Example: We currently have all of our clients setup with the Conditional Access Policies for MFA. This was done for all of our clients prior to bringing them into NMM. I would like to manage the conditional access policy from NMM, but when I assign the policy from NMM it simply adds a new Conditional Access policy instead of detecting that this policy already exists and simply allowing us to manage it along with the other baseline policies. In the case of the MFA policy it is even a bigger issue since the 2 policies conflict each other forcing NMM to automatically disable the policy assigned through NMM after a while.
Baseline Policy Assignment with the Ability to Detect Exisiting Policies (Planned)
Great call out, Chaim Botnick!
With net-new environments, it's great, but if there is existing infrastructure, it gets to be a bit more complicated.
For those customers with existing environments, are you thinking we add an option to "Remove existing policy assignments before applying the baseline policies" or are you thinking to make it more wizard driven where it would be similar to the below example?
My only concern for the removing existing policy assignments is the slight off-chance where there's a problem (i.e. Azure API crashing or another Azure outage) and the existing policies are unassigned and before the new policies are assigned, we encounter an error. Or someone wouldn't be able to login because of a Conditional Access policy change. Would you just work around that with a maintenance window with your customer or do you not see that as a concern with your use-case?
Wizard Example:
Potential Conflict:
It looks like you have PolicyName applied to security group: Device-DellLaptops and PolicyNameB configured to applied to the same group.
How would you like to proceed?
Ignore Unassign:PolicyName Unassign:PolicyNameB Cancel
Please sign in to leave a comment.
Comments (1 comment)