Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Users Who Can Manage Office 365 Groups

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ActiveDirectory-020

Ensure that "Owners who can assign members as group owners in Azure portals" policy is set to "None" within your Microsoft Entra ID settings in order to make sure that non-privileged users are not able to manage Office 365 groups via the Access Panel and the Azure Admin portal. By default, all owners can assign other members as group owners in Microsoft Entra ID.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Depending on your business requirements, you can use Microsoft Entra ID settings to achieve more granular access control over self-service group management for your users. Restricting Office 365 group management to Microsoft Entra ID administrators only, prohibits users from making any changes to this type of groups. This ensures that Office 365 groups management is not delegated to unauthorized users.


Audit

To determine if non-administrator users have the ability to manage Office 365 groups in Azure portals, perform the following actions:

Note: Retrieving "Owners who can assign members as group owners in Azure portals" setting configuration status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

01 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

01 In the navigation panel, select Groups.

01 In the Settings section, select General to access Microsoft Entra ID user group general settings.

01 On the General settings page, under Office 365 Groups, check Owners who can assign members as group owners in Azure portals setting configuration. If Owners who can assign members as group owners in Azure portals is set to All or Selected (i.e. the list of users selected to manage Office 365 groups), there are Microsoft Entra ID users, including users without administrative privileges, that can manage Office 365 groups using the Access Panel and the Azure Admin portal.

01 Repeat steps no. 3 – 5 for each Microsoft Entra ID that you want to examine.

Remediation / Resolution

By setting "Owners who can assign members as group owners in Azure portals" to "None", only Microsoft Entra ID administrators can manage Office 365 groups, improving the access security to your Azure cloud resources. To configure the necessary setting, perform the following actions:

Note: Restricting Office 365 group management to Microsoft Entra ID administrators only using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Groups.

04 In the Settings section, select General to access Microsoft Entra ID user group general settings.

05 On the General settings page, under Office 365 Groups, select None next to Owners who can assign members as group owners in Azure portals configuration setting to disable the non-privileged users' ability to manage Office 365 groups using Azure portals.

06 Click Save to apply the changes. If successful, the following message should be displayed: "Successfully updated group settings". Once the configuration changes are saved, only the Microsoft Entra ID administrators can manage Microsoft Office 365 groups using the Access Panel and the Azure Admin portal.

07 Repeat steps no. 3 – 6 for each Microsoft Entra ID that you want to reconfigure in order to restrict Office 365 groups management to Microsoft Entra ID administrators only.

References

Publication date Aug 30, 2019