Enterprise Naming Standards: Devices, Users, Groups, Policies & More

Walk into any enterprise IT environment without naming standards and you will find policies named "New policy - copy (2)", groups called "Test Group DO NOT DELETE", and devices registered as "DESKTOP-4K8HJ2Q". Nobody knows what they do. Nobody knows who owns them. And nobody wants to touch them.

Naming standards are not glamorous. They are not a feature. They are infrastructure — the invisible scaffolding that determines whether your Intune tenant is manageable at scale or a slow-moving disaster.

This guide covers every object type you will encounter in a Microsoft enterprise environment: users, admins, service accounts, devices, Entra groups, AD groups, Intune policies, Conditional Access, security baselines, and more. Every format is designed to be readable at a glance, sortable in a list, and meaningful six months after it was created.

Why Naming Standards Matter

Before defining formats, understand what good naming achieves:

Core Design Principles

Before any format, five rules apply everywhere:

1. Uppercase prefixes, lowercase descriptors — CFG-WIN-bitlocker-encryption reads better than cfgwinbitlockerencryption
2. Hyphens as separators, never underscores or spaces — spaces break scripts; underscores look like spaces in some UIs
3. No special characters — parentheses, slashes, and ampersands break PowerShell filters and REST API calls
4. Consistent component order — always TYPE-PLATFORM-ENVIRONMENT-PURPOSE, never mix the order
5. Keep it short but not cryptic — CFG-WIN-PRD-BitLocker beats Config-Windows-Production-BitLockerEncryptionFullDisk

Environment and Platform Codes

Use these building blocks consistently across every object type.

Environment codes

Platform codes

Location codes (optional — use when multi-region)

Department codes

1. User Accounts

Standard user accounts

The most common format is firstname.lastname@company.com. This is readable, predictable, and works with most directory sync tools.

Format:   firstname.lastname@company.com
Example:  chetan.yamger@contoso.com

For large organisations with common names, add a department or sequential number:

Format:   firstname.lastname.dept@company.com
Example:  john.smith.fin@contoso.com
          john.smith2@contoso.com  (duplicate resolution)

Shared mailboxes

Format:   SMB-{Department}-{Purpose}@company.com
Example:  SMB-IT-ServiceDesk@contoso.com
          SMB-HR-Recruitment@contoso.com
          SMB-FIN-Invoices@contoso.com

Resource mailboxes (rooms and equipment)

Format:   RES-{Location}-{Name}@company.com
Example:  RES-AMS-ConferenceRoom-A@contoso.com
          RES-LON-Projector-Floor2@contoso.com

2. Admin and Privileged Accounts

Admin accounts must be separate from standard user accounts — never use firstname.lastname@company.com for privileged tasks.

Standard admin accounts (Entra ID / Microsoft 365 Admin)

Format:   ADM-{firstname}.{lastname}@company.com
Example:  ADM-chetan.yamger@contoso.com

On-premises privileged accounts (Active Directory)

For tiered administration (Tier 0 = DC/AD, Tier 1 = Servers, Tier 2 = Workstations):

Format:   {TIER}-{firstname}.{lastname}
Example:  T0-chetan.yamger    (Domain Controller / AD admin)
          T1-chetan.yamger    (Server admin)
          T2-chetan.yamger    (Workstation / Intune admin)

Break glass / emergency access accounts

Format:   BG-Admin{NN}@company.com
Example:  BG-Admin01@contoso.com
          BG-Admin02@contoso.com

Global admin accounts

Global Admin is a permanent Tier 0 role. Accounts assigned to it must be cloud-only, have no licences, and be used only for break-glass scenarios (day-to-day admin should use PIM elevation).

Format:   GA-{Purpose}@company.com
Example:  GA-PrimaryAdmin@contoso.com
          GA-Backup@contoso.com

Service accounts

Format:   SVC-{ServiceName}-{Purpose}@company.com
Example:  SVC-Intune-GraphAPI@contoso.com
          SVC-SCCM-CMG@contoso.com
          SVC-PowerBI-DataRefresh@contoso.com
          SVC-AzureDevOps-Deploy@contoso.com

3. Device Naming

Device names appear in Intune, SCCM, Azure AD, and support tickets. A clear naming convention makes it instant to identify the device type, location, and owner.

Windows devices

Format:   {COMPANY}-{DEPT}-{TYPE}-{LOCATION}-{COUNTER}
Example:  CORP-IT-LAP-NL-0001      (IT dept laptop, Netherlands, #1)
          CORP-FIN-DT-UK-0042       (Finance desktop, UK, #42)
          CORP-IT-VM-AZ-0010        (IT virtual machine, Azure, #10)

Shorter format (for orgs with one location):

Format:   {COMPANY}-{TYPE}-{COUNTER}
Example:  CORP-LAP-0001
          CORP-DT-0042
          CORP-VM-0010

Device type codes

Autopilot device naming (set in Deployment Profile)

Autopilot lets you define a device naming template that runs at provisioning time:

Template:   CORP-WIN-%RAND:4%
Result:     CORP-WIN-A7K2

Template:   CORP-%SERIAL%
Result:     CORP-SN123456789

Template:   %DEPT%-LAP-%RAND:4%
Result:     IT-LAP-9F3M

macOS devices

Format:   {COMPANY}-MAC-{LOCATION}-{COUNTER}
Example:  CORP-MAC-NL-0001
          CORP-MAC-US-0015

Mobile devices (iOS / Android)

Mobile devices are harder to control naming for (especially BYOD). For corporate-owned devices:

Format:   {COMPANY}-{PLATFORM}-{DEPT}-{COUNTER}
Example:  CORP-iOS-IT-0001
          CORP-AND-FIN-0003

4. Entra ID (Azure AD) Groups

Groups are the backbone of policy assignment in Intune and Conditional Access. A clear naming standard is critical because group lists grow fast and become unmanageable without structure.

Format structure

Format:   GRP-{TYPE}-{PLATFORM/DEPT}-{PURPOSE}-{SCOPE}

Security groups

GRP-SEC-WIN-AllDevices-PRD
GRP-SEC-WIN-CompliantDevices-PRD
GRP-SEC-iOS-AllDevices-PRD
GRP-SEC-AND-CorporateOwned-PRD
GRP-SEC-MAC-AllDevices-PRD
GRP-SEC-IT-Department-PRD
GRP-SEC-FIN-Department-PRD
GRP-SEC-EXC-Executives-PRD

Dynamic device groups

GRP-DYN-WIN-AllWindowsDevices
GRP-DYN-WIN-AutopilotDevices
GRP-DYN-iOS-AllAppleDevices
GRP-DYN-AND-AndroidEnterprise
GRP-DYN-MAC-AllMacDevices
GRP-DYN-WIN-CompliantOnly

Dynamic membership rules to match:

# GRP-DYN-WIN-AllWindowsDevices
(device.deviceOSType -eq "Windows")
 
# GRP-DYN-iOS-AllAppleDevices
(device.deviceOSType -eq "iPhone") -or (device.deviceOSType -eq "iPad")
 
# GRP-DYN-AND-AndroidEnterprise
(device.deviceOwnership -eq "Company") -and (device.deviceOSType -eq "AndroidForWork")
 
# GRP-DYN-WIN-AutopilotDevices
(device.devicePhysicalIds -any (_ -startsWith "[ZTDID]"))

Intune / MDM-specific groups

GRP-MDM-WIN-EnrolledDevices-PRD
GRP-MDM-WIN-PilotRing-BitLocker
GRP-MDM-iOS-MAMEnabled-PRD
GRP-MDM-AND-WorkProfile-PRD
GRP-MDM-WIN-ExcludeFromCompliance
GRP-MDM-WIN-KioskDevices

Conditional Access groups

GRP-CA-ExcludeBreakGlass          (always excluded from every CA policy)
GRP-CA-ExcludeServiceAccounts     (service accounts excluded from user-facing policies)
GRP-CA-PilotUsers-MFA             (pilot ring for new CA policies)
GRP-CA-ExternalGuests             (guest/B2B users)
GRP-CA-PrivilegedAdmins           (accounts with admin roles)
GRP-CA-NamedLocations-Trusted     (users in trusted office locations)

Microsoft 365 groups (Teams, SharePoint)

GRP-M365-IT-InternalTeam
GRP-M365-FIN-Finance-Department
GRP-M365-OPS-Operations
GRP-M365-PRJ-ProjectAlpha-2026
GRP-M365-EXC-Leadership

5. On-Premises Active Directory Groups

AD groups follow a different convention from Entra ID. They must encode the group scope and type.

AD group scope codes

Format

Format:   {SCOPE}-{CATEGORY}-{PURPOSE}

Examples

# Resource access groups (Domain Local — assign permissions)
DL-SharePoint-Finance-ReadOnly
DL-FileShare-IT-ReadWrite
DL-Printer-Floor3-Print

# User / department groups (Global — contain members)
GG-Dept-Finance
GG-Dept-IT
GG-Dept-HR
GG-Dept-Operations

# Distribution / mail-enabled groups
GG-Mail-AllStaff
GG-Mail-IT-Department
GG-Mail-Management

# Admin tier groups
GG-Admins-Tier0-DomainAdmins
GG-Admins-Tier1-ServerAdmins
GG-Admins-Tier2-HelpdeskTech

# Group Policy assignment groups
GG-GPO-BitLocker-Workstations
GG-GPO-Screensaver-AllUsers
GG-GPO-IE-Restrictions-Finance

6. Intune Configuration Profiles

Configuration profiles are where naming discipline pays off most. A tenant can have hundreds. Without a standard, finding the right one becomes a daily frustration.

Format

Format:   CFG-{PLATFORM}-{ENV}-{PURPOSE}

Windows configuration profiles

CFG-WIN-PRD-BitLocker-Encryption
CFG-WIN-PRD-Security-Baseline-CIS
CFG-WIN-PRD-Windows-Update-DeploymentRing-Broad
CFG-WIN-PRD-Windows-Update-DeploymentRing-Pilot
CFG-WIN-PRD-Windows-Hello-BusinessPolicy
CFG-WIN-PRD-Firewall-Domain-Profile
CFG-WIN-PRD-Firewall-Public-Profile
CFG-WIN-PRD-AppLocker-Standard
CFG-WIN-PRD-StartMenu-Layout-Standard
CFG-WIN-PRD-VPN-AlwaysOn-Split
CFG-WIN-PRD-WiFi-Corporate-SSID
CFG-WIN-PRD-Certificate-SCEP-User
CFG-WIN-PRD-Certificate-SCEP-Device
CFG-WIN-PRD-LAPS-Configuration
CFG-WIN-PRD-RemoteDesktop-Disabled
CFG-WIN-PRD-Kiosk-SingleApp-Browser
CFG-WIN-PIL-BitLocker-Encryption      (Pilot ring — same policy, smaller group)

iOS configuration profiles

CFG-iOS-PRD-Email-ExchangeOnline
CFG-iOS-PRD-WiFi-Corporate-SSID
CFG-iOS-PRD-VPN-PerApp-O365
CFG-iOS-PRD-Certificate-SCEP-User
CFG-iOS-PRD-Passcode-Policy-Standard
CFG-iOS-PRD-Restrictions-BrowserBlock
CFG-iOS-PRD-Supervised-Kiosk

macOS configuration profiles

CFG-MAC-PRD-FileVault-Encryption
CFG-MAC-PRD-Firewall-Enable
CFG-MAC-PRD-Security-Baseline
CFG-MAC-PRD-WiFi-Corporate-SSID
CFG-MAC-PRD-Certificate-SCEP-User
CFG-MAC-PRD-Gatekeeper-AppStore

Android Enterprise

CFG-AND-PRD-WorkProfile-Restrictions
CFG-AND-PRD-WiFi-Corporate-SSID
CFG-AND-PRD-Certificate-SCEP-Work
CFG-AND-PRD-Kiosk-DedicatedDevice
CFG-AND-PRD-Email-WorkProfile

7. Compliance Policies

Compliance policies determine whether a device is "Compliant" or "Non-Compliant" — directly linked to Conditional Access enforcement.

Format

Format:   CMP-{PLATFORM}-{ENV}-{PURPOSE}

Examples

CMP-WIN-PRD-Corporate-Baseline
CMP-WIN-PRD-High-Security-Finance
CMP-WIN-PIL-Corporate-Baseline         (Pilot rollout)
CMP-iOS-PRD-Corporate-Standard
CMP-iOS-PRD-BYOD-Minimum
CMP-AND-PRD-Corporate-WorkProfile
CMP-AND-PRD-BYOD-Minimum
CMP-MAC-PRD-Corporate-Baseline

8. App Protection Policies (MAM)

Mobile Application Management (MAM) policies protect data inside apps — even on unmanaged BYOD devices.

Format

Format:   MAM-{PLATFORM}-{MGMT}-{PURPOSE}

Examples

MAM-iOS-MDM-Corporate-ManagedApps
MAM-iOS-MAMWE-BYOD-O365Apps
MAM-AND-MDM-Corporate-ManagedApps
MAM-AND-MAMWE-BYOD-O365Apps
MAM-WIN-MDM-Corporate-Edge

9. Conditional Access Policies

CA policy naming is the most critical of all — a misconfigured CA policy can lock out your entire organisation. The name must tell you what it does before you even open it.

Format

Format:   CA{NNN}-{TARGET}-{CONDITION}-{ACTION}

Complete baseline set (10 policies)

CA001-AllUsers-AllApps-RequireMFA
CA002-AllUsers-AllApps-BlockLegacyAuthentication
CA003-AllUsers-O365Apps-RequireCompliantDevice
CA004-PrivilegedAdmins-AllApps-RequireMFA-CompliantDevice
CA005-PrivilegedAdmins-AzurePortal-RequireCompliantDevice
CA006-AllUsers-AllApps-BlockHighRiskUser
CA007-AllUsers-AllApps-BlockHighRiskSignin
CA008-AllUsers-AllApps-BlockUnknownLocations
CA009-GuestUsers-AllApps-RestrictAccess
CA010-ServiceAccounts-AllApps-BlockWithExceptions

Named Locations (used in CA conditions)

NL-TrustedLocation-Amsterdam-Office
NL-TrustedLocation-VPN-CorporateGateway
NL-CountryBlock-HighRiskCountries
NL-CountryAllow-EuropeOnly

10. Security Policies (Endpoint Security)

Endpoint Security policies in Intune cover antivirus, firewall, disk encryption, attack surface reduction, and endpoint detection.

Format

Format:   SEC-{PLATFORM}-{TYPE}-{PURPOSE}

Examples

SEC-WIN-AV-Defender-Standard
SEC-WIN-AV-Defender-HighSecurity-Finance
SEC-WIN-FW-Domain-Profile
SEC-WIN-FW-Public-Profile
SEC-WIN-FW-Private-Profile
SEC-WIN-EDR-MDE-Onboarding
SEC-WIN-ASR-Rules-Standard
SEC-WIN-ASR-Rules-HighSecurity
SEC-WIN-ENC-BitLocker-OSVolume
SEC-WIN-ENC-BitLocker-DataDrive
SEC-WIN-LAPS-Configuration-Standard
SEC-WIN-SEC-Baseline-CIS-L1
SEC-MAC-AV-Defender-Standard
SEC-MAC-FW-Enable-Standard

11. Windows Update Rings

Update rings control how quickly Windows updates reach your devices. Structure them as deployment rings.

Format:   UPD-WIN-{RING}-{PURPOSE}

Examples

UPD-WIN-PILOT-QualityUpdates-7Day
UPD-WIN-EARLY-QualityUpdates-14Day
UPD-WIN-BROAD-QualityUpdates-21Day
UPD-WIN-PILOT-FeatureUpdates-30Day
UPD-WIN-BROAD-FeatureUpdates-90Day
UPD-WIN-DEFER-FeatureUpdates-180Day

12. Service Principals and App Registrations

Service Principals in Entra ID represent application identities — used for automation, integrations, and Graph API access.

Format

Format:   SPN-{ServiceName}-{Purpose}-{ENV}

Examples

SPN-Intune-GraphAPI-PRD
SPN-PowerBI-DataRefresh-PRD
SPN-PowerShell-Automation-PRD
SPN-AzureDevOps-Deployment-DEV
SPN-LogicApps-M365-Integration-PRD
SPN-Sentinel-DataConnector-PRD
SPN-SCCM-CloudManagement-PRD
SPN-PowerAutomate-SharePoint-PRD

13. Administrative Units

Administrative Units (AUs) in Entra ID allow scoped administration — an admin can manage only users/devices within their AU.

Format:   AU-{SCOPE}-{PURPOSE}

Examples

AU-GLB-BreakGlass-Accounts
AU-GLB-ServiceAccounts
AU-DEPT-Finance
AU-DEPT-HR
AU-DEPT-IT-Operations
AU-RGN-Europe
AU-RGN-NL-Amsterdam
AU-RGN-UK-London

14. Azure Resources and Resource Groups

For Azure infrastructure resources (if your scope extends beyond Intune/Entra):

Format:   RG-{ENV}-{Purpose}-{Location}

Examples

RG-PRD-Intune-Resources-WEU
RG-PRD-Sentinel-Security-WEU
RG-PRD-KeyVault-Secrets-WEU
RG-DEV-Testing-Lab-WEU
RG-PRD-BackupVault-DR-NEU

Location abbreviations: WEU (West Europe), NEU (North Europe), EUS (East US), WUS (West US).

Complete Reference Cheat Sheet

Common Mistakes and How to Avoid Them

1. No prefix on groups

Bad: All Windows Devices, Finance Staff, MFA Required Group

Good: GRP-DYN-WIN-AllWindowsDevices, GRP-SEC-FIN-Department-PRD, GRP-CA-PilotUsers-MFA

Without a prefix, groups from different systems, departments, and purposes all appear mixed together in a flat list.

2. Copying policies without renaming

Bad: BitLocker Policy - Copy, New compliance policy (3), Test - DO NOT DELETE

Good: CFG-WIN-PRD-BitLocker-Encryption (create from scratch with the right name)

Copied policies accumulate. After 12 months you have 40 "Copy" policies and nobody knows which ones are active.

3. Using dates in policy names

Bad: MFA Policy May 2024, Compliance Baseline Updated 2025

Good: CA001-AllUsers-AllApps-RequireMFA (version in the description field, not the name)

Dates in names make the display name stale the moment you update the policy. Use the description field or notes for change history.

4. Abbreviating inconsistently

Bad: Win-Bit-Lock, WIN-Bitlocker, windows bitlocker, WindowsBitlockerPol

Good: CFG-WIN-PRD-BitLocker-Encryption — same format every time

Pick one abbreviation per concept and document it. WIN not Windows not Win. BitLocker not Bitlock not BL.

5. No environment prefix on pilot policies

Bad: BitLocker Policy (and nobody knows if this is for 5 pilot devices or 5,000 production devices)

Good: CFG-WIN-PIL-BitLocker-Encryption assigned to GRP-MDM-WIN-PilotRing-BitLocker

Always distinguish pilot from production in the name. It prevents accidental broad deployment.

Implementation Steps

Connect-MgGraph -Scopes "Group.Read.All"
Get-MgGroup -All | Where-Object { $_.DisplayName -notmatch '^GRP-' } |
  Select-Object DisplayName, GroupTypes, MembershipRule |
  Sort-Object DisplayName |
  Export-Csv -Path "NonCompliantGroups.csv" -NoTypeInformation

PowerShell: Bulk Rename Intune Config Profiles

Here is a PowerShell script that lists all Intune configuration profiles and shows which ones do not follow the CFG- prefix convention:

Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All"
 
$profiles = Get-MgDeviceManagementDeviceConfiguration -All
 
$nonCompliant = $profiles | Where-Object {
    $_.DisplayName -notmatch '^CFG-'
}
 
Write-Host "Non-compliant configuration profiles:" -ForegroundColor Yellow
$nonCompliant | Select-Object DisplayName, ODataType | Format-Table -AutoSize
 
Write-Host "`nTotal non-compliant: $($nonCompliant.Count) of $($profiles.Count)" -ForegroundColor Cyan

Summary

Naming standards are a one-time investment that pays dividends for the entire life of your tenant. The conventions in this guide are designed to:

• Be self-documenting — the name tells you everything about the object
• Sort correctly in lists — alphabetical order groups related objects together naturally
• Work in scripts — no special characters, consistent separators, predictable structure
• Scale to hundreds of objects — the prefix system handles any size tenant

Start with the objects you create most often (groups and policies), apply the standard consistently, and document it where every admin on your team can find it. The environment will thank you later — even if that future admin is yourself.