Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable "All Users" Group

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that "Enable an 'All Users' group in the directory" policy is set to "Yes" in your Microsoft Entra ID settings in order to enable the "All Users" group for centralized access administration. This group represents the entire collection of the Microsoft Entra ID users, including guests and external users, that you can use to make the access permissions easier to manage within your directory.

Security

The "All Users" group can be used to assign the same permissions to all the users within an Microsoft Entra ID account. For example, all users in a directory can be given access to a SaaS application by assigning a specific set of permissions that allows application access to the "All Users" dedicated group. This ensures that there is a common policy created for all the existing and future users and there is no need to implement individual access permissions.


Audit

To determine if "All Users" group is enabled for centralized administration in your Microsoft Entra ID directory, perform the following actions:

Note: Getting "Enable an 'All Users' group in the directory" feature configuration status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Groups.

04 In the Settings section, select General to access Microsoft Entra ID user group general settings.

05 On the General settings page, under Directory-wide Groups, check Enable an "All Users" group in the directory feature configuration. If Enable an "All Users" group in the directory is set to No, the "All Users" dedicated group, necessary for centralized administration, in not enabled in your current Microsoft Entra ID account.

06 Repeat steps no. 3 – 5 for each Microsoft Microsoft Entra ID that you want to examine.

Remediation / Resolution

By setting "Enable an 'All Users' group in the directory" to "Yes", a single group can be used to assign the same permissions to all the available Microsoft Entra ID users, which can be really helpful for implementing centralized access management inside your Microsoft Entra ID account. To enable the feature, perform the following actions:

Note: Activating "Enable an 'All Users' group in the directory" feature using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Groups.

04 In the Settings section, select General to access Microsoft Entra ID user group general settings.

05 On the General settings page, under Directory-wide Groups, select Yes next to Enable an "All Users" group in the directory configuration setting to enable the dedicated "All Users" group that combines all users available in your directory, including guests and external users.

06 Click Save to apply the changes. If successful, the following message should be displayed: "Successfully updated group settings". Once the configuration changes are saved, the specialized "All Users" group can be used for centralized access administration in your current Microsoft Entra ID account.

07 Repeat steps no. 3 – 6 for each Microsoft Entra ID that you want to reconfigure in order to enable the dedicated "All Users" group.

References

Publication date Aug 30, 2019

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable "All Users" Group

Risk Level: Medium