User Account Security Assessment Guide
This a how-to guide on using and configuring the Azure Active Directory Policy for Microsoft 365 Assignment.
The policy configuration is the rule that describes which users should have this policy applied to them
The policy rule is an expression based on the SQL WHERE query format. For more advanced users, you can create/text your rules using the Microsoft SQL Server Management Studio and connecting directly to the dataset.
The queryable properties are based on the Microsoft Graph user object properties. Here are the common properties that you would use for your rule:
|AccountEnabled||Boolean||Specifies whether the account is enabled/disabled||
All enabled users
|ExtensionAttribute1||String||Synchronized from on-premise Active Directory||ExtensionAttribute1='My Value"|
|ExtensionAttribute2||String||Synchronized from on-premise Active Directory||ExtensionAttribute2='My Value"|
|ExtensionAttribute3||String||Synchronized from on-premise Active Directory||ExtensionAttribute3='My Value"|
|ExtensionAttribute4||String||Synchronized from on-premise Active Directory||ExtensionAttribute4='My Value"|
|ExtensionAttribute5||String||Synchronized from on-premise Active Directory||ExtensionAttribute5='My Value"|
|ExtensionAttribute6||String||Synchronized from on-premise Active Directory||ExtensionAttribute6='My Value"|
|ExtensionAttribute7||String||Synchronized from on-premise Active Directory||ExtensionAttribute7='My Value"|
|ExtensionAttribute8||String||Synchronized from on-premise Active Directory||ExtensionAttribute8='My Value"|
|ExtensionAttribute9||String||Synchronized from on-premise Active Directory||ExtensionAttribute9='My Value"|
|ExtensionAttribute10||String||Synchronized from on-premise Active Directory||ExtensionAttribute10='My Value"|
|ExtensionAttribute11||String||Synchronized from on-premise Active Directory||ExtensionAttribute11='My Value"|
|ExtensionAttribute12||String||Synchronized from on-premise Active Directory||ExtensionAttribute12='My Value"|
|ExtensionAttribute13||String||Synchronized from on-premise Active Directory||ExtensionAttribute13='My Value"|
|ExtensionAttribute14||String||Synchronized from on-premise Active Directory||ExtensionAttribute14='My Value"|
|ExtensionAttribute15||String||Synchronized from on-premise Active Directory||ExtensionAttribute15='My Value"|
Mail LIKE '%@bittitan.com'
All users that have an email address with the domain bittitan.com
|PhysicalDeliveryOfficeName||String||Location field shown in the Address List||PhysicalDeliveryOfficeName='Bellevue'|
|PostalCode||String||Zip or postal code||PostalCode='98004'|
|ShowInAddressList||Boolean||Specifies whether the user is visible in the Address List||
All users that are hidden from the Address List
|State||String||State or province||State='WA'|
|UsageLocation||String||2 letter ISO 3166 country code for service usage location||UsageLocation='US'|
|UserPrincipalName||String||Username used to login to Microsoft 365||
UserPrincipalName LIKE '%@bittitan.com'
All users that have a login name with the domain bittitan.com
Department='Sales' OR Department='Marketing'
Even though the policy is defined as a query language, there are circumstances in which you may have one or more users that fall outside of the policy rule. In these circumstances, specify the email address of each specific user you wish to include in the policy. Specify one email address per line.
You may configure just the user exceptions list if you want to explicitly specify who this policy should apply to without a policy rule.
- Specify your policy with a rule and/or user exception
- Do not select the checkbox and click click Next
- This will verify the validity of your configuration
- You may see who specifically the policy will apply to by downloading and viewing the logs
The license options specify what and how the licenses should be applied to user
Select one or more licenses you wish to apply.
Note that some licenses may have dependencies on other licenses being enabled or some licenses may not be combined with other licenses. The form does not validate these combinations. Any invalid combination will be displayed as an error when the licenses are applied.
There are two methods for applying licenses to users.
- Add licenses defined in policy to existing licenses assigned to user (any licenses on the user that is not specified on the policy will be preserved)
- Replace currently assigned licenses on use with those of the policy (any licenses on the user that is not specified on the policy will be removed)
Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the usage location. This is an optional field on the policy which will override existing values if specified. The following articulates the policy behavior for this value:
|Usage Location Specified on User||Usage Location Specified on Policy||Behavior|
|✓||The usage location on the user will be preserved|
|✓||The usage location on the user will be initialized by the policy|
|✓||✓||The usage location on the user will be overwritten by the policy|