Description:

Ensure that non-administrator users do not have the ability to create and manage security groups and Office 365 groups within your Azure Active Directory. Once self-service group management is disabled for non-admin users, these can't change their groups configuration anymore and can't manage their memberships by approving requests from other users to join their existing groups.  


Rationale:

Restricting security group management to administrators only prohibits users from making changes to security groups. This ensures that security groups are appropriately managed and their management is not delegated to non-administrators.


Impact:

If enabled, users can request a Security group or Microsoft 365 group membership, and then group owners can approve or deny membership.


Default Value:

By default, Owners can manage group membership requests in the Access Panel is set to No.


Test plan:

  1. Sign in to your Azure account.

  2. Go to Azure Active Directory

  3. Go to Groups

  4. Go to General in settings

  5. Check the setting Owners can manage group membership requests in the Access Panel value. (In this scenario it is No as default)


Remediation:

Prerequisites:

  1. An Azure account.

  2. Azure AD Premium account.

  3. User with an appropriate role to modify the setting (Global-Admin)


Implementation:

  1. Sign in to your Azure account.

  2. Go to Azure Active Directory

  3. Go to Groups

  4. Go to General in settings

  5. Set the setting Owners can manage group membership requests in the Access Panel to Yes


Backout Plan:

  1. Sign in to your Azure account.

  2. Go to Azure Active Directory

  3. Go to Groups

  4. Go to General in settings

  5. Set the setting Owners can manage group membership requests in the Access Panel to No (to revoke the changes to default)


Reference: