Description:

This setting controls whether regular users can create security groups in Microsoft Entra ID. When it is set to No, only administrators can create security groups. This prevents users from creating groups on their own without approval and helps maintain better control over group management in the organization.


Rationale:

Stopping users from creating security groups prevents unwanted or unapproved groups. This keeps group management controlled by administrators and reduces security risks.


Impact:

This setting improves security by making sure only administrators can create security groups. It prevents regular users from creating groups that may cause confusion or unauthorized access.


Default Value:

By default, Microsoft Entra ID allows users to create security groups. The setting must be changed to No if you want to restrict this.


Pre-requisites:

  • You must sign in with a Global Administrator or Privileged Role Administrator account.


Test Plan:

  1. Go to the Azure portal at https://portal.azure.com.

  2. In the portal, search for Microsoft Entra ID.

  3. In the left menu, under Manage, select Groups.

  4. Open the General under settings. Go to the Security Groups section.

  5. Find the “Users can create security groups in Azure portals, API or PowerShell.”

  6. Verify that this setting is set to No.

  1. If it is Yes, follow the implementation steps.


Implementation steps:

  1. Go to the Azure portal at https://portal.azure.com.

  2. In the portal, search for Microsoft Entra ID.

  3. In the left menu, under Manage, select Groups.

                                                 

  1. Click General under the Settings section.

  2. Go to the Security Groups section.

  3. Find the setting where Users can create security groups in Azure portals, API, or PowerShell. Change the toggle to No.

  1. Click Save at the top of the page to apply the changes.


Backout Plan:

  1. Go to the Azure portal at https://portal.azure.com.

  2. In the portal, search for Microsoft Entra ID.

  3. In the left menu, under Manage, select Groups.

  4. Click General under the Settings section.

  5. Go to the Security Groups section.

  6. Find the setting where Users can create security groups in Azure portals, API or PowerShell.

  7. Change the toggle to Yes.

  8. Click Save at the top of the page to apply the changes.

Reference: