With our organisation, we're investigating if we can replace global groups with system roles, what are the pro's / con's?

Here's a few thoughts...

Domain Local Groups are not compatible with the Microsoft 365 platform.  Universal groups are.

If you are multi domain / multi forest environment, DLGs result in the creation of Foreign Security Principal in the domain where the groups live - kind of a nuisance from an AD "clutter" perspective.

I personally have had mixed results with using DLGs for delegation in Active Roles.

support.oneidentity.com/.../delegating-permissions-across-domains-using-domain-local-groups-might-not-work-as-expected-71489

I am not also not a fan of too much group nesting as it makes it much more difficult to:

a) Troubleshoot delegation issues (you are always needing to resolve "effective" group membership

b) From an auditing perspective, it can be challenging for IT security audits to figure out exactly who has rights to what.

Here's a few thoughts...

Domain Local Groups are not compatible with the Microsoft 365 platform.  Universal groups are.

If you are multi domain / multi forest environment, DLGs result in the creation of Foreign Security Principal in the domain where the groups live - kind of a nuisance from an AD "clutter" perspective.

I personally have had mixed results with using DLGs for delegation in Active Roles.

support.oneidentity.com/.../delegating-permissions-across-domains-using-domain-local-groups-might-not-work-as-expected-71489

I am not also not a fan of too much group nesting as it makes it much more difficult to:

a) Troubleshoot delegation issues (you are always needing to resolve "effective" group membership

b) From an auditing perspective, it can be challenging for IT security audits to figure out exactly who has rights to what.