Add group templates to Conditional Access (CA) policies within the JSON files.

Avatar
Tim Renes

Good afternoon,

As previously discussed, I would like to raise a feature request for the ability to add group templates to Conditional Access (CA) policies within the JSON files.

We use a standard set of groups in our CA policy design, which we typically include and/or exclude from these policies. Currently, I do not see a way to add group templates within the JSON file, so when a policy is pushed to a customer tenant, the groups are not automatically added to the include or exclude list. 

I have tried using policy variables for this, but was unsuccessful. To make the process complete, it would also be very helpful if Nerdio could automatically create the group in the customer tenant if it does not already exist.

4

Comments (4 comments)

Sort by
0
Avatar
Dave Stephenson

Welcome to the community, Tim Renes 🙂!

I may be not understanding correctly, however what you're asking for seems similar to our Direct Assignment capabilities that were added to NMM in the v6.3.0 release of NMM.

When you get a moment, can you help us understand how your request could/would be different than that?

0
Avatar
Carl Long
We appreciate your feature request—community input is essential to our ongoing development.

Next steps:
     • We will review your suggestion and update its status during the evaluation process.
     • If further clarification is needed, we'll contact you via comments.

We also encourage others to contribute through feedback and voting.
0
Avatar
Tim Renes

Hi Dave, 

You are correct, i thought by using the direct assignment feature it would overwrite the contents off the json file. I added for some CA policies roles and in the wizard it clears the custom assignment when using direct assignment but after testing i noticed it nicely adds the group and keeps the roles configured.  

The 1 thing that i would like is the option to add more then 1 group template within the direct assignment. wizard
Is that comming in a future update? 

For example we have groups for Break the glass accounts and Service accounts which sometimes need to be both excluded from a CA policy. 
 

0
Avatar
Dave Stephenson

That's great news, Tim!

I can say what you're describing (i.e. currently being able to only assign one group template to the Include and one to the Exclude) is on the Product team's radar, but I don't know exactly where it sits on the timeline to be implemented.

That being said, you could likely work around the limitation by adding an “OR” operator to your exclusion group templates to have your breakglass account be included in the group.
It's not ideal but could be a fairly decent workaround until we have the ability to add multiple group templates to a policy assignment.

Do you think something like this would work, for now, or is the lack of functionality a major roadblock?

Please sign in to leave a comment.