Description:

This setting in Microsoft Entra ID (Azure AD) controls whether non-admin users can access and manage group-related features through the Access Pane (My Apps portal). Setting it to Yes restricts ordinary users from creating or modifying groups, which helps enforce centralized control over identity and access management.


Rationale:

Allowing users to manage group features without restriction can result in uncontrolled group creation, privilege escalation through group membership changes, and governance issues. Restricting access ensures that only authorized administrators can manage group configurations, improving security and consistency.


Impact:

Enabling this setting prevents unauthorized users from managing or creating groups through the Access Pane. It helps reduce the risk of privilege escalation via group-based access. This change improves identity governance and access control. It also strengthens compliance by ensuring group management follows administrative approval. Overall, it promotes a controlled and secure access management model.


Default Value:

The default value for Restrict user ability to access group features in the Access Pane is: No


Pre-requisites:

  1. Administrative Role

  2. Permissions to Manage Group Settings
     You must have rights to modify Groups, Settings and General.

  3. Change Management Approval. Organizational approval should be in place before making security configuration changes.


Test Plan:

  1. Sign in to the Azure portal and navigate to Microsoft Entra ID (Azure Active Directory).

  2. Under Manage, select Groups, then open Settings and go to the General tab.

  3. Locate the setting “Restrict user ability to access group features in the Access Pane.”

  4. Verify the value is set to Yes. If set to Yes, mark the control as Compliant; otherwise, mark it as Non-compliant.

  5. If it is set to No, follow the implementation steps.

Implementation Steps:

  1. Sign in to the Azure portal and navigate to Microsoft Entra ID.

  2. Under Manage, select Groups.

  1. Click Settings and open the General tab.

  2. Locate “Restrict user ability to access group features in the Access Pane.”


  1. Set the option to Yes and click Save to apply the change.

Backout Plan:

  1. Navigate to Microsoft Entra ID in the Azure portal.

  2. Under Manage, select Groups.

  3. Click Settings and open the General tab.

  4. Locate “Restrict user ability to access group features in the Access Pane”.

  5. Change the setting to No.

  6. Click Save to apply the changes.


References: