Ensure that "Owners who can assign members as group owners in Azure portals" policy is set to "None" within your Microsoft Entra ID settings in order to make sure that non-privileged users are not able to manage Office 365 groups via the Access Panel and the Azure Admin portal. By default, all owners can assign other members as group owners in Microsoft Entra ID.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Depending on your business requirements, you can use Microsoft Entra ID settings to achieve more granular access control over self-service group management for your users. Restricting Office 365 group management to Microsoft Entra ID administrators only, prohibits users from making any changes to this type of groups. This ensures that Office 365 groups management is not delegated to unauthorized users.
Audit
To determine if non-administrator users have the ability to manage Office 365 groups in Azure portals, perform the following actions:
Note: Retrieving "Owners who can assign members as group owners in Azure portals" setting configuration status using Microsoft Graph API or Azure CLI is not currently supported.Remediation / Resolution
By setting "Owners who can assign members as group owners in Azure portals" to "None", only Microsoft Entra ID administrators can manage Office 365 groups, improving the access security to your Azure cloud resources. To configure the necessary setting, perform the following actions:
Note: Restricting Office 365 group management to Microsoft Entra ID administrators only using Microsoft Graph API or Azure CLI is not currently supported.References
- Azure Official Documentation
- Manage who can create Microsoft 365 Groups
- CIS Microsoft Azure Foundations