Best Practice for SSH Security

Hey All

What is best practice for setting security with SSH access, with servers joined to an AD domain using SSSD.

Trying to work out which way is best...

1. /etc/ssh/sshd_config

using the AllowGroups directive

2. /etc/sssd/sssd.config

using access_provider = simple
simple_allow_groups

or is it best to use a combination of both (sssd_ad and allowgroups in ssh)

Thanks in advance