Currently, user assignments don't work properly in conditional access policies. Nerdio is able to determine if anyone is assigned to the policy, but it cannot get any more granular than that.
Nerdio should be able to evaluate user/group assignments in conditional access polices to the following extent:
- If the policy template is assigned to all users, then report drift if a policy targets a different user/group
- We should be able to define a list of accepted user exclusions for a particular policy (see my other feature request for Granular Policy Drift for more details). If any additional user/group is excluded from the policy, Nerdio should report a drift
Additionally, Nerdio should be able to utilize Variables (In Settings > Integrations) to automatically assign users to policies. For example, every client of ours has a “Break Glass” account which is excluded from every conditional access policy we deploy. Because the UPN of this account follows a standard naming convention (BreakGlass@<domain>.com), we should be able to add this logic to the JSON of the policy template and have Nerdio exclude the Break Glass account automatically when we deploy that policy to a tenant.
Comments (2 comments)