Description:

In Azure Active Directory (Azure AD), all users are granted a set of default permissions. A user’s access consists of the type of user, their role assignments, and their ownership of individual objects. Restrict user ability to access groups features in the Access groups by setting the value of this to Yes, Group and User Admin will have read-only access.


Rationale:

Self-service group management enables users to create and manage security groups or Office 365 groups in Azure Active Directory (Azure AD). Unless a business requires this day-to-day delegation for some users, self-service group management should be disabled.


Impact:

Enabling this setting could create a number of requests that would need to be managed by administrators.


Default Value:

By default, Restrict user ability to access groups features in the Access Pane is set to No.


Audit:

  1. Sign into your Azure account.

  2. Go to Azure Active Directory

  3. Go to Groups

  4. Go to General in settings

  5. Check the Value of the setting Restrict user ability to access groups features in the Access Panel(In this scenario as default it is set to NO)


Remediation:

Pre-requisites:

  1. An Azure account.

  2. An Azure AD tenant corresponding to the subscription

  3. User with an appropriate role to modify the setting (Global-Admin).


Implementation Steps:

  1. Sign into your Azure account.

  2. Go to Azure Active Directory

  3. Go to Groups

  4. Go to General in setting

  5. Set the Restrict user ability to access groups features in the Access Panel setting to Yes to Restrict access to the Azure AD administration portal to administrators only.


Backout Plan:

  1. Sign into your Azure account.

  2. Go to Azure Active Directory

  3. Go to Groups

  4. Go to General in setting

  5. Set the Restrict user ability to access groups features in the Access Panel setting to No (to revoke the changes to default).


Reference: