Naming Conventions
This document describes the emoji-based naming convention used throughout this documentation to ensure consistent, visual identification of resources.
Core Principlesβ
All resources follow this pattern:
[Type Icon][Target Icon][Modifiers] [Type Code] - [Descriptive Name]
Icon Referenceβ
Type Icons (Primary Category)β
| Icon | Meaning | Used For |
|---|---|---|
| π‘οΈ | Security Group | Entra ID Security Groups |
| π¦ | Conditional Access | Conditional Access Policies |
| βοΈ | Configuration | Configuration Profiles |
| π | Named Location | Conditional Access Named Locations |
| π | Autopilot | Autopilot Deployment Profiles |
| π | Compliance | Compliance Policies |
| π | Script | Compliance Scripts |
Target Icons (Who/What is Affected)β
| Icon | Meaning | Description |
|---|---|---|
| π§βπΌ | Users | Affects user accounts |
| π¨βπΌ | Admin/User | Alternative user icon |
| π» | Devices (Desktop) | Desktop/laptop devices |
| π± | Mobile Devices | Phones and tablets |
| πͺ | Windows | Windows-specific |
| π | Apple | macOS or iOS |
| π€ | Android | Android devices |
| π§ | Linux | Linux devices |
Modifier Icons (Behavior/Status)β
| Icon | Meaning | Description |
|---|---|---|
| π | Manual Assignment | Manually assigned membership (not dynamic) |
| βοΈ | Dynamic Rule | Dynamic group membership based on rules |
| π | Exception/Allow | Grants access or creates exception |
| π | Block/Deny | Blocks access or enforces restriction |
| π© | Geographic | Location-based policies |
Conditional Access Policy Status (CA Policies Only)β
| Icon | Meaning | CA Action |
|---|---|---|
| π’ | Grant Access | Policy grants access (with conditions like MFA, compliant device, etc.) |
| π΄ | Block Access | Policy explicitly blocks access |
| π | Warning/Medium | Medium severity or special conditions |
Named Location Trust Levelsβ
| Icon | Meaning | Trust Level |
|---|---|---|
| π’ | Trusted | Trusted/safe locations |
| π΄ | Non-Trusted | High risk / blocked locations |
| π | Less-Trusted | Medium risk / caution locations |
Type Codes (Text Abbreviations)β
| Code | Full Name | Used For |
|---|---|---|
| Group | Security Group | Entra ID Security Groups |
| CA | Conditional Access | Conditional Access Policies |
| CP | Configuration Profile | Intune Configuration Profiles |
| NLOC | Named Location | CA Named Locations |
| DP | Deployment Profile | Autopilot Deployment Profiles |
| Compliance | Compliance Policy | Intune Compliance Policies |
| CCScript | Compliance Custom Script | Custom compliance detection scripts |
Examples by Categoryβ
Security Groupsβ
User Groups - Exception Groupsβ
π‘οΈπ§βπΌπππ¦Group - No compliant device required for π»πͺ users
- π‘οΈ = Security Group
- π§βπΌ = Users
- π = Manual assignment
- π = Exception (allows something)
- π¦ = Related to Conditional Access
- π»πͺ = Windows desktop devices
User Groups - Restriction Groupsβ
π‘οΈπ§βπΌπππ¦Group - Not Allowed to Work Remote Users
- π‘οΈ = Security Group
- π§βπΌ = Users
- π = Manual assignment
- π = Block/restriction
- π¦ = Related to Conditional Access
Device Groups - Dynamic Assignmentβ
π‘οΈπͺπ»βοΈGroup - Autopilot Devices
- π‘οΈ = Security Group
- πͺ = Windows
- π» = Devices
- βοΈ = Dynamic membership rule
Device Groups - Manual Assignment with Exceptionβ
π‘οΈπͺπ»ππβοΈGroup - Screen Lock Timer Disabled
- π‘οΈ = Security Group
- πͺ = Windows
- π» = Devices
- π = Manual assignment
- π = Exception (disables a security control)
- βοΈ = Related to configuration policy
Special Groupsβ
π‘οΈπ§βπΌβοΈππ¦Group - Break the Glass solution
- π‘οΈ = Security Group
- π§βπΌ = Users
- βοΈ = Dynamic membership
- π = Exception (emergency access)
- π¦ = Related to Conditional Access
Conditional Access Policiesβ
Grant Access Policies (Green - π’)β
π¦π’π¨βπΌCA - MFA for All Users
- π¦ = Conditional Access
- π’ = Grant access (with MFA requirement)
- π¨βπΌ = Users
π¦π’π»CA - Require Compliant Device πͺ
- π¦ = Conditional Access
- π’ = Grant access (requires compliant device)
- π» = Devices
- πͺ = Windows-specific
Block Access Policies (Red - π΄)β
π¦π΄πCA - Block Legacy Other Clients
- π¦ = Conditional Access
- π΄ = Block access
- π = Related to legacy protocols/scripts
π¦π΄π¨βπΌCA - Block External login for BTG
- π¦ = Conditional Access
- π΄ = Block access
- π¨βπΌ = Users (admin/Break the Glass)
Geographic Policiesβ
π¦π΄π©CA - Block Non-Trusted Countries All Cloud Apps
- π¦ = Conditional Access
- π΄ = Block access
- π© = Geographic/location-based
π¦π π©CA - Require Compliant Device in Less-Trusted Countries
- π¦ = Conditional Access
- π = Medium severity (grant with extra conditions)
- π© = Geographic/location-based
Mobile Policiesβ
π¦π’π±CA - Require MAM AppProPol or Compliant Device π
- π¦ = Conditional Access
- π’ = Grant access (with MAM or compliance requirement)
- π± = Mobile devices
- π = iOS/macOS specific
Named Locationsβ
Trusted Locations (Green)β
ππ’NLOC - Panic Room
ππ’NLOC - Customer Locations
- π = Named Location
- π’ = Trusted/safe
Non-Trusted Locations (Red/Orange)β
π©π΄NLOC - Non-Trusted Countries
π©π NLOC - Less-Trusted Countries
- π© = Geographic
- π΄ = High risk / non-trusted
- π = Medium risk / less-trusted
Configuration Profilesβ
Windows Device Profilesβ
βοΈπͺπ»CP - Screen Lock Timer
- βοΈ = Configuration
- πͺ = Windows
- π» = Devices
Windows Device Profiles with Exceptionβ
βοΈπͺπ»πCP - Screen Lock Timer - Disable
- βοΈ = Configuration
- πͺ = Windows
- π» = Devices
- π = Exception (disables control)
Windows User Profiles - Blockβ
βοΈπͺπ§βπΌCP - OneDrive - Block personal OneDrive
- βοΈ = Configuration
- πͺ = Windows
- π§βπΌ = Users
Windows User Profiles - Allowβ
βοΈπͺπ§βπΌπCP - OneDrive - Allow personal OneDrive
- βοΈ = Configuration
- πͺ = Windows
- π§βπΌ = Users
- π = Exception (allows something)
Autopilot Deployment Profilesβ
πAutopilot DP - User Driven
πAutopilot DP - Self Deploy
πAutopilot DP - User Driven with Local Admin
- π = Autopilot deployment profile
Compliance Policiesβ
Windows Complianceβ
ππͺπ»Compliance - Windows - Bitlocker
ππͺπ»Compliance - Windows - Secure Boot
- π = Compliance policy
- πͺ = Windows
- π» = Devices
Custom Compliance Scriptsβ
ππͺπ»πCCScript - Windows - Detect RMM
- π = Compliance
- πͺ = Windows
- π» = Devices
- π = Script
Quick Reference Tableβ
Common Combinationsβ
| Icons | Meaning | Example |
|---|---|---|
| π‘οΈπ§βπΌπππ¦ | User group, manual, exception for CA | Exception from MFA requirement |
| π‘οΈπ§βπΌππβοΈ | User group, manual, exception for config | Exception from OneDrive restriction |
| π‘οΈπ§βπΌπππ¦ | User group, manual, block for CA | Blocked from remote work |
| π‘οΈπͺπ»βοΈ | Windows device group, dynamic | All autopilot devices |
| π‘οΈπͺπ»ππβοΈ | Windows device group, manual exception | RDP enabled devices |
| π¦π’π¨βπΌ | CA policy, grant access, for users | MFA requirements |
| π¦π΄π | CA policy, block access, legacy protocols | Block legacy auth |
| π¦π΄π© | CA policy, block access, geographic | Block from countries |
| π¦π’π» | CA policy, grant access, for devices | Require compliant device |
| βοΈπͺπ» | Config profile, Windows, devices | Standard device config |
| βοΈπͺπ§βπΌπ | Config profile, Windows, users, allow | Allow exception for users |
Understanding CA Policy Colorsβ
Important distinction for Conditional Access policies:
-
π’ Green = Grant Access (but with conditions)
- Example:
π¦π’π¨βπΌCA - MFA for All Users - Meaning: Users are granted access, but they must perform MFA first
- Still enforces security, but doesn't block completely
- Example:
-
π΄ Red = Block Access (explicit deny)
- Example:
π¦π΄πCA - Block Legacy Other Clients - Meaning: Access is completely blocked, no way around it
- Example:
-
π Orange = Grant with Extra Caution (medium severity)
- Example:
π¦π π©CA - Require Compliant Device in Less-Trusted Countries - Meaning: Access granted but with stricter requirements
- Example:
Naming Best Practicesβ
- Always start with the type icon (π‘οΈ, π¦, βοΈ, etc.)
- Add target icon to show what's affected (π§βπΌ, π», π±)
- Include modifiers to show behavior:
- π for manual assignment
- βοΈ for dynamic groups
- π for exceptions/allows
- π for blocks
- π’π΄π for CA policy actions (grant/block/caution)
- Add platform icons where relevant (πͺ, π, π€, π§)
- Use the text code (Group, CA, CP, etc.)
- Write a clear descriptive name in English
Bad Examples ββ
Group - Windows Devices(missing icons)π‘οΈGroup - Autopilot(missing device type and assignment type)CA - Block(not descriptive enough)
Good Examples β β
π‘οΈπͺπ»βοΈGroup - Autopilot Devicesπ¦π΄π©CA - Block Non-Trusted Countries All Cloud Appsπ¦π’π¨βπΌCA - MFA for All UsersβοΈπͺπ»πCP - Screen Lock Timer - Disable
Why This Convention?β
Visual Clarityβ
The emoji icons allow you to instantly recognize what a resource is and does:
- See π’ in CA? It grants access (with conditions)
- See π΄ in CA? It blocks access completely
- See π? It's an exception
- See π? It blocks something
- See π©? It's location-based
Cross-Tenant Consistencyβ
When managing multiple tenants with SuperVision, consistent naming ensures:
- Easy identification across environments
- Predictable resource discovery
- Simplified documentation
- Better audit trails
Self-Documentingβ
The name tells you:
- What it is (Group, CA, CP)
- Who/What it affects (users, devices, platform)
- How it works (manual, dynamic, exception, block, grant)
- Why it exists (descriptive name)
Remember: Good naming is not about being clever. It's about being instantly understandable to anyone who reads it β including your future self at 3 AM during an incident.
Platform-Specific Iconsβ
When a policy applies to a specific platform, add the platform icon at the end of the emoji sequence:
| Platform | Icon | Usage |
|---|---|---|
| Windows | πͺ | CA - Require Compliant Device πͺ |
| macOS | π | CA - Require Compliant Device π |
| iOS | π | CA - Require MAM AppProPol or Compliant Device π |
| Android | π€ | CA - Require MAM AppProPol or Compliant Device π€ |
| Linux | π§ | CA - Require Compliant Device π§ |
This document is a living standard. As new patterns emerge, update this reference accordingly.