Intelligent Group Recommendations
FAST, EASY & INTELLIGENT
The Group Mining feature helps you quickly set up your attribute-based access model by recommending which Microsoft Entra ID groups should be linked to each attribute. These recommendations are based on how many users in your organization currently have those permissions, making the setup process data-driven and efficient.
Please make sure you read and follow the Learn the basics guide before starting to use the Group Mining feature.
For an even faster setup, take advantage of the Bulk Feature. You can find it under Attributes > Actions > Bulk Group Assigner, allowing you to assign groups efficiently in just a few clicks. š
Warning: This feature performs the 'Group Mining (Suggestions)' process in bulk. It will create attribute-to-group mappings (and, in turn, user-to-group relationships) all at once.
Because it can affect many groups and users, please proceed carefully and be aware of its impact.
How Does Group Mining Work?
Group Mining analyzes existing user-group relationships in your Microsoft Entra ID Tenant and suggests Entra ID groups based on the attributes assigned to your users.
This feature helps you decide whether a permission should be:
Assigned at a higher level (e.g., Department) for broader access.
Assigned at a lower level (e.g., Job Title) for more specific control.
Not assigned at all if the matching percentage is too low.
Examples of Matching Percentages
Example 1: Low Matching Percentage
24 users have the attribute Location: "New York".
4 out of 24 users (17%) with this location have access to "Microsoft Dynamics 365".
Decision: Is a 17% match enough to justify adding "Microsoft Dynamics 365" to all users in "New York"?
Should it be assigned at a broader level (like Department)?
Should it be assigned at a more specific level (like Job Title)?
Consider license costs before making a decision.
Example 2: Medium Matching Percentage
80 users have the attribute Department: "Information Technology".
48 out of 80 users (60%) in this department have access to "Freshworks".
Decision: Is a 60% match enough to justify assigning "Freshworks" to everyone in "Information Technology"?
Would it be better assigned at a more specific level (like Job Title)?
How does this affect licensing costs and security?
Example 3: High Matching Percentage
15 users have the attribute Job Title: "Sales Manager".
12 out of 15 users (80%) have access to "Tableau".
Decision: Should "Tableau" be assigned to all Sales Managers?
Option 1: Add Tableau to all users with the attribute Sales Manager.
Option 2: Remove Tableau from all Sales Managers.
Option 3: Leave the setup as is.
Job Title is the most specific level in the attribute hierarchy, meaning changes made here will have the smallest scope but greatest precision.
Applying Group Mining to Hierarchy Decisions
When using Group Mining in your ABAC model, consider the following best practices:
Data-Driven Decisions
Use real user data to determine permission assignments, ensuring that group memberships align with actual usage needs.
Hierarchical Considerations
Decide whether suggested permissions should be applied at the Department, Location, or Job Title level to maintain a balanced access structure.
Cost-Benefit Analysis
Evaluate the impact of assigning or removing permissions, especially when licenses are involved. Granting access at a broader level can reduce administrative overhead, but too much access can lead to unnecessary costs and security risks.
Conclusion
The Group Mining feature gives IT teams a smart way to refine access control. By analyzing real user-group relationships, it helps ensure that:
ā Users get access only to what they need for their jobs. ā Permissions are assigned efficiently and securely. ā Unnecessary or excessive access is avoided.
By making data-driven access decisions, you can streamline security while ensuring that employees have the tools they need, without manual guesswork.
Last updated