Different User Groups possible?

Category: azure multifactorauthentication

Question

MathiasS1 on Fri, 05 Aug 2016 12:55:31


Hi,

hope this is not a faq:

We want to use MFA server on premise. Our idea is to create several user groups where every group owns defined security settings. Through assigning an user into one group the user inherits this security settings. Goal is not to have just one settings baseline and to overwrite them with individual settings on a per user base, than to have a kind of different baseline settings and to assign one of these baselines to users.

Thank you!
Mathias

Replies

vijisankar on Sat, 06 Aug 2016 12:32:08


Hello,

We are checking on the query and would get back to you soon on this.

I apologize for the inconvenience and appreciate your time and patience in this matter.

Regards,

Vijisankar

SadiqhAhmed-MSFT on Sun, 07 Aug 2016 19:31:23


Hello Mathias,

Yes. The getMemberObjects API returns all groups (transitive) of which the user is a member: https://msdn.microsoft.com/en-us/library/azure/dn835117.aspx  . Also, using the checkMemberGroups API you can check whether or not the user is member of a group (transitively): https://msdn.microsoft.com/en-us/library/azure/dn835107.aspx

Here is a complete response from Dushyant Gill here - http://stackoverflow.com/questions/28200071/azure-ad-graph-api-user-memberof-nested-groups

Hope that helps!

Best Regards

Sadiqh Ahmed
________________________________________________________________________________________________________________

If this post was helpful to you, please upvote it and/or mark it as an answer so others can more easily find it in the future.

shawnb_ms on Mon, 08 Aug 2016 23:33:07


When you create a directory synchronization item, you can specify a number of settings, including which phone fields the MFA Server should attempt to import from, which MFA method is the default, whether PIN is required or not, etc. Users that are imported via that sync item get those settings applied to them. So the answer to your question depends on what settings you are looking to configure and set via group. If the settings are the things that you can control via the sync item, then you can create several different sync items that have different settings and that sync with different groups of users. Then those groups will each get the settings associated with that sync item.

MathiasS1 on Tue, 09 Aug 2016 15:54:58


Thank you!