Description:
In Azure Active Directory (Azure AD), all users are granted a set of default permissions. A user’s access consists of the type of user, their role assignments, and their ownership of individual objects. Restrict security group creation to administrators only.
Rationale:
When creating security groups is enabled, all users in the directory are allowed to create new security groups and add members to those groups. Unless a business requires this day-to-day delegation, security group creation should be restricted to administrators only.
Impact:
Enabling this setting could create a number of requests that would need to be managed by an administrator.
Default Value:
By default, Users can create security groups is set to Yes.
Remediation:
Pre-requisites:
An Azure account.
An Azure AD tenant corresponding to the subscription
User with an appropriate role to modify the setting (Global-Admin)
Test Plan:
Sign in to your Azure account.
Go to Azure Active Directory
Go to Groups
Go to General in settings
Check the value of Users can create security groups setting. (In this scenario it is set to Yes as default)
Implementation Steps:
Sign in to your Azure account.
Go to Azure Active Directory
Go to Groups
Go to General in settings
Set the Users can create security groups in Azure Portal to No
Backout Plan:
Sign in to your Azure account.
Go to Azure Active Directory
Go to Groups
Go to General in setting
Set the Users can create security groups to No (to revoke the changes to default).
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory- accessmanagement-self-service-group-management#making-a-group-available-for- end-user-self-service
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy