Description:
The 'Restrict user ability to access groups features in My Groups' setting in Microsoft Entra ID (formerly Azure Active Directory) controls whether users can access and manage certain group-related features, such as creating groups or managing group memberships. When this setting is configured to 'Yes', users will be restricted from creating or modifying groups in Azure AD. This setting is especially useful to prevent non-administrative users from modifying sensitive groups or creating unnecessary groups that could lead to misconfigurations or security risks.
When 'Restrict user ability to access groups features in My Groups' is set to 'Yes', users can still view the groups they belong to, but they will not be able to create, modify, or delete groups. Only administrative users will have access to these group management features.
Rationale:
Enabling this restriction helps:
Enhance security: Prevents unauthorized users from creating or modifying groups, which could lead to unintentional data exposure or misconfigured group memberships.
Improve governance: Ensures that group management is handled by designated admins, who can enforce policies and best practices for group access control.
Reduce the risk of shadow IT: Prevents users from creating and managing groups outside of the organization's policies, helping to control access to sensitive data.
Simplify auditing: With restricted access to group management, auditing group access and changes becomes more straightforward and can be managed by trusted personnel.
Impact:
Setting 'Restrict user ability to access groups features in My Groups' to 'Yes' will:
Prevent non-admin users from creating or modifying groups, which reduces the risk of unauthorized access or accidental changes to group memberships.
Increase security by ensuring that only authorized administrators can manage groups, ensuring consistent and secure group management practices.
Limit flexibility for users who may need to manage groups for their projects. However, this can be managed through proper administrative workflows where users request group creation or modification.
Default Value:
By default, users are allowed to access group management features unless manually restricted. This setting must be configured to 'Yes' to restrict users from modifying group-related features.
Pre-requisites:
Azure subscription with Microsoft Entra ID (Azure AD) configured.
Global Administrator or Privileged Role Administrator permissions to configure group-related access settings.
Defined processes to manage group creation requests from non-admin users, ensuring that admins can create and manage groups when needed.
Audit:
Sign in to Azure portal as a Global Administrator or Privileged Role Administrator.
Navigate to Microsoft Entra ID > Enterprise Applications > User settings.
Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes'.
Implementation Steps (Manual):
Sign in to Azure portal:
Use an account with Global Administrator or Privileged Role Administrator permissions.
Navigate to Microsoft Entra ID (Azure AD):
In the Azure portal, go to Azure Active Directory.
Go to Enterprise Applications:
Under Manage, select Enterprise Applications.
Modify User Access to Groups:
In the Enterprise Applications pane, select User settings.
Locate the setting for 'Restrict user ability to access groups features in My Groups'.
Set the option to 'Yes' to restrict users' ability to create, modify, or delete groups.
Save the Configuration:
After setting the option to 'Yes', click Save to apply the changes.
Verify the Setting:
After saving, verify that non-admin users can no longer create or modify groups in Azure AD.
Perform a test by attempting to create or modify a group as a non-admin user. The action should be blocked.
Test User Access:
Verify that admin roles (e.g., User Administrator, Global Administrator) can still access and manage group settings, including creating and modifying groups.
Monitor Group Access:
Use Azure AD logs to monitor group management activities and ensure that only admin roles can access group management features.
Set up Azure Monitor alerts to notify administrators if unauthorized attempts are made to access or modify groups.
Communicate to Users:
Inform users that they will no longer be able to access or manage groups in Azure AD. Ensure they understand that group management will be handled by designated admins.
Backout Plan (Manual):
Sign in to Azure portal:
Use an account with Global Administrator or Privileged Role Administrator permissions.
Navigate to Microsoft Entra ID (Azure AD):
Go to Azure Active Directory > Enterprise Applications > User settings.
Revert the Access Restriction Setting:
In User settings, change the 'Restrict user ability to access groups features in My Groups' setting back to 'No' to allow users access to group management features.
Save the Configuration:
Click Save to apply the changes.
Test the Reverted Configuration:
Perform a test by attempting to create or modify a group as a non-admin user. The process should now be allowed if the setting is reverted.
Monitor the Reversion:
Use Azure AD logs to ensure that the reverted settings are functioning as expected and that users can now access and manage groups.