Restrict User Access to AAD Group Features in Azure Access Panel

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: ActiveDirectory-023

Ensure that the "Restrict user ability to access groups features in the Access Panel" setting is set to "Yes" within your Azure Active Directory (AAD) configuration in order to make sure that non-privileged users are not able to create and manage security groups using the Azure Access Panel.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Security groups are used to manage member and machine access to Microsoft Azure cloud resources for a group of users. When the "Restrict user ability to access groups features in the Access Panel" setting is not enabled, all the users within your Azure Active Directory (AAD) account are allowed to create new security groups and add members to those groups. Because security groups can grant access to sensitive and private data or critical configuration information, security group creation and management should be restricted to AAD administrators only (unless your business requires permission delegation).


Audit

To determine if non-privileged users have the ability to access group features within Azure Access Panel, perform the following operations:

Note: Getting "Restrict user ability to access groups features in the Access Panel" configuration status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the blade navigation panel, under Manage, select Groups.

04 In the left navigation panel, under Settings, choose General to access the general settings available for the Azure Active Directory (AAD) user groups.

05 Under Self Service Group Management, check the Restrict user ability to access groups features in the Access Panel. Group and User Admin will have read-only access when the value of this setting is 'Yes' configuration setting status. If the setting status is set to No, any Azure Active Directory users can access the AAD user group features available in the Access Panel, therefore the existing access configuration is not compliant.

06 Repeat steps no. 3 – 5 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

By setting "Restrict user ability to access groups features in the Access Panel" to "Yes", only Global Administrators can access Azure Active Directory (AAD) group features in the Access Panel, enhancing the access security to your AAD resources. To disable the setting, perform the following actions:

Note: Restricting user access to AAD group features in the Access Panel using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the blade navigation panel, under Manage, select Groups.

04 In the left navigation panel, under Settings, choose General to access the general settings available for the Azure Active Directory (AAD) user groups.

05 Under Self Service Group Management, select Yes next to Restrict user ability to access groups features in the Access Panel. Group and User Admin will have read-only access when the value of this setting is 'Yes' to disable the non-privileged user's ability to access Azure Active Directory (AAD) group features in the Access Panel. Choose Save to apply the changes. If the request is successful, the following message should be displayed: "Successfully updated group settings". Global Admins will have access to the Access Panel regardless of the status of this setting.

06 Repeat steps no. 3 – 5 for each Microsoft Azure Active Directory that you want to reconfigure in order to secure the access to your AAD resources.

References

Publication date Sep 19, 2021

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Restrict User Access to AAD Group Features in Azure Access Panel

Risk level: Medium