Logic to protect inclusion and exclusion groups

[AlexFilipin]

We might want to protect exclusion groups (at least some) with the "Azure AD roles can be assigned to the group" flag that will protect it from other admin roles.

Thinking about: Sync account group, Emergency access account group and admin CA policies maybe even PERM exclusion groups of other policies.

[AlexFilipin]

microsoft.directory/groups/members/update

• Group Owner (via User Role)
• User Account Administrator
• Partner Tier1 Support
• Partner Tier2 Support
• Directory Writers
• Groups Administrator

microsoft.directory/groups/allProperties/allTasks

• Global Administrator

microsoft.directory/groups.unified/members/update

• Exchange Service Administrator
• SharePoint Service Administrator
• Teams Service Administrator

microsoft.directory/groups.security/members/update

• Intune Service Administrator

microsoft.directory/groups.assignableToRoles/allProperties/update

• Global Administrator
• Privileged Role Administrator
• Group Owner (via User Role)

[AlexFilipin]

Waiting for additional AAD features, the number of assignableToRoles groups is limited so I dont think its a good path to take.