Hi!

That's quite simple but you have to have everything tuned inside ISE, the guide for this is https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0101.html#ID269 and you can see that you can assign access based on a specific role, but for a summary you should:

1. Inside Administration > System > Admin Access > Authentication you should change the password based method:

2. Then, inside Administration > System > Admin Access > Administrators > Admin Groups then add a new group:

3. And last, you create a Policy inside Administration > System > Admin Access > Permissions > Policy for each group:

4. Optional, if you want to use a different Permission options that you might need, please consider going to Administration > System > Admin Access > Permissions > Menu Access / Data Access to control your permissions list.

In the field you should find that the Cisco ISE 2.4 enables the option to choose wheather to connect via internal users or Active Directory option in the login page:

Hope it helps,

**please, consider rating helpful or as a solution, thank you**

Angel gave a good start, but no need to create new admin groups.

First of all, add the three groups from AD.

For "full" ISE admin web access, after selecting AD as the ID source, go to "Super Admin" group, check the option "External" and put "Group1" as the External Group.

For RO ISE admin web access, go to "Read Only Admin", check the option "External" and put "Group2" as the External Group.

For Sponsor access, go to the Sponsor Groups, select the desired access, and pick members from the list of available groups.