iCompaas Support

Description:

The 'Owners can manage group membership requests in My Groups' setting determines whether group owners can manage membership requests for groups they own within Microsoft Entra ID (Azure AD). By default, this setting is enabled, allowing group owners to approve or deny requests for membership in groups they manage.

To enhance security and centralize group membership management, it is recommended to set this option to 'No'. This ensures that group membership requests are handled by administrators or other designated personnel instead of group owners, providing better oversight and control over who joins critical groups.

Rationale:

By setting 'Owners can manage group membership requests' to 'No', you achieve:

• Better control over group membership: Administrators or designated personnel can oversee who joins sensitive or important groups, reducing the risk of unauthorized access.
  

• Improved security and governance: Centralized membership management ensures that only trusted users are added to important groups, such as those containing access to sensitive resources.
  

• Compliance: This setting helps meet audit and compliance requirements by ensuring that group membership is not handled by individual owners but rather by a more controlled process.
  

Impact:

Setting this option to 'No' will prevent group owners from directly approving or denying membership requests for groups they manage. Instead, this task will be centralized, typically managed by Azure AD administrators. The impact is minimal for most organizations, as membership requests can still be managed by designated administrators.

Default Value:

By default, 'Owners can manage group membership requests' is set to 'Yes', meaning group owners have the ability to approve or deny membership requests.

Pre-requisites:

• Azure subscription with Microsoft Entra ID (Azure AD) configured.
  

• Global Administrator or Privileged Role Administrator permissions to configure this setting.
  

• Owners for groups who will have restricted permissions to manage membership requests.
  

Audit:

1. Sign in to Microsoft Entra ID (Azure AD) as a Global Administrator or Privileged Role Administrator.
   

2. Navigate to Groups > General Settings and check the setting for 'Owners can manage group membership requests'.
   

3. Ensure that 'Owners can manage group membership requests' is set to 'No'.
   

Implementation Steps (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Privileged Role Administrator permissions.
     

2. Navigate to Microsoft Entra ID (Azure AD):
   

   • In the Azure portal, go to Azure Active Directory.
     

3. Go to Groups Settings:
   

   • Under Manage, select Groups.
     

   • Then, click on General settings under the Groups section.
     

4. Configure the Setting:
   

   • In the General Settings pane, locate the option 'Owners can manage group membership requests in My Groups'.
     

   • Set this option to 'No' to restrict group owners from directly managing membership requests.
     

5. Review and Apply:
   

   • After setting it to 'No', click Save to apply the changes.
     

6. Verify Settings:
   

   • After saving the settings, confirm that group owners can no longer manage membership requests by testing a group membership request with a group owner.
     

   • A group owner should not see the option to approve or deny membership requests in their group after this setting is applied.
     

7. Communicate the Change to Group Owners:
   

   • Notify the group owners in your organization that they will no longer be able to manage membership requests. Membership management will be handled by Azure AD administrators or designated personnel.
     

Automate the Configuration with PowerShell (Optional): If you prefer to automate this process using PowerShell, use the following command to disable membership management by group owners:

Set-MsolCompanySettings -AllowGroupCreation $false

8.  This will apply the setting to disallow group owners from managing membership requests.
   

9. Set Up Alerts (Optional):
   

   • Set up Azure AD audit logs to monitor and alert administrators if there are any changes to group membership that require manual intervention or approval by administrators.
     

Backout Plan (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Privileged Role Administrator permissions.
     

2. Navigate to Microsoft Entra ID (Azure AD):
   

   • Go to Azure Active Directory in the Azure portal.
     

3. Re-enable Owner Management of Membership Requests:
   

   • In the General Settings pane under Groups, locate the option 'Owners can manage group membership requests in My Groups'.
     

   • Set the option back to 'Yes' to allow group owners to manage membership requests again.
     

4. Verify the Reversion:
   

   • Ensure that group owners now have the ability to approve or deny membership requests in their groups.
     

5. Test the Reverted Configuration:
   

   • Test by submitting a group membership request and verify that the group owner can approve or deny the request.
     

References:

• Azure AD Group Management Overview
  

• Manage Group Settings in Microsoft Entra
  

• Azure AD Role-Based Access Control (RBAC)