Ensure that non-administrator users do not have the ability to create and manage security groups and Office 365 groups within your Azure Active Directory. Once self-service group management is disabled for non-admin users, these can't change their groups configuration anymore and can't manage their memberships by approving requests from other users to join their existing groups.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
Self-service group management enables users to create and manage security groups or Office 365 groups in Azure Active Directory (AD). Self-service group management can also group owners to assign ownership to other users. Since these groups can grant access to sensitive and private information or Azure AD critical configuration, self-service group management feature should be disabled for all non-administrator users.
To determine if self-service group management is disabled within your Active Directory group settings, perform the following actions:Note: Getting the self-service group management feature configuration status using Microsoft Graph API or Azure CLI is not currently supported.
Remediation / Resolution
By setting "Owners can manage group membership requests in the Access Panel" and "Restrict access to Groups in the Access Panel" options to "No", you disable self-service group management feature for non-admin users in your Azure Active Directory (AD). To disable the necessary settings, perform the following actions:Note: Disabling self-service group management for non-admin users using Microsoft Graph API or Azure CLI is not currently supported.
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Disable Self-Service Group Management
Risk level: High