π‘οΈπ§βπΌπππ¦Group - Authentication Transfer Allowed Users
What this group is forβ
This is an assigned security group that controls who can use Authentication Transfer β the ability to pass authentication context from one device to another.
By default, everyone is blocked from using this feature. Only users in this group get an exception.
It's used in combination with:
If you're in this group:
β You can transfer authentication sessions between devices β You have documented business justification for this capability β You're being watched β every transfer is logged
π Configuration Overviewβ
| Setting | Value |
|---|---|
| Group name | π‘οΈπ§βπΌπππ¦Group - Authentication Transfer Allowed Users |
| Group description | Users allowed to transfer authentication context between devices. Requires documented business need and quarterly review. |
| Group type | Security |
| Membership type | Assigned |
| Default members | None (start empty, add by exception only) |
π Membership Governanceβ
This group should be small and well-documented.
Before adding a user, ask:
- What specific business scenario requires Authentication Transfer?
- Is there an alternative that doesn't involve transferring auth sessions?
- Has this request been documented and approved?
- When should this access be reviewed or removed?
Best practices:
- Start with zero members and only add on documented request
- Maintain a log of who was added, when, and why
- Review membership quarterly minimum
- Remove access when the business need expires
- Monitor authentication transfer events in sign-in logs
π« "If you can't document why someone needs it, they don't need it."
π§ Final Noteβ
Authentication Transfer is convenient β but convenience comes with risk.
This group exists to ensure that convenience is controlled.
Keep it small. Keep it documented. Keep it monitored.
π "The smaller this group stays, the tighter your security posture is."
Because if everyone can transfer authentication everywhere, then nobody is really authenticated anywhere.