Logo of Trend Micro

Allow Only Administrators to Manage Security Groups

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: ActiveDirectory-018

Ensure that "Owners who can assign members as group owners in Azure portals" is set to "None" in your Azure Active Directory settings in order to make sure that non-privileged users are not able to manage security groups via the Access Panel and the Azure Admin portal.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Restricting security group management to Active Directory administrators only, prohibits users from making changes to security groups. This ensures that security groups are managed solely by designated, authorized users within your Azure Active Directory account.

Audit

To determine if non-admin users have the ability to manage security groups in Azure portals, perform the following actions:

Note: Getting "Owners who can assign members as group owners in Azure portals" setting configuration status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Groups.

04 In the Settings section, select General to access Active Directory user group general settings.

05 On the General settings page, under Security Groups, check Owners who can assign members as group owners in Azure portals setting configuration. If Owners who can assign members as group owners in Azure portals is set to All or Selected (i.e. the list of users selected to manage security groups), there are Active Directory users, including users without administrative privileges, that can manage security groups using the Access Panel and the Azure Admin portal.

06 Repeat steps no. 3 – 5 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

By setting "Owners who can assign members as group owners in Azure portals" to "None", only Azure Active Directory (AD) administrators can manage security groups, increasing the level of access security to your Azure cloud resources. To configure the necessary setting, perform the following actions:

Note: Restricting security group management to Active Directory administrators only using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Groups.

04 In the Settingssection, select General to access Active Directory user group general settings.

05 On the General settings page, under Security Groups, select None next to Owners who can assign members as group owners in Azure portals configuration setting to disable the non-privileged users' ability to manage security groups using Azure portals.

06 Click Save to apply the changes. If successful, the following message should be displayed: "Successfully updated group settings". Once the configuration changes are saved, only the Active Directory users with an administrator role can manage security groups using the Access Panel and the Azure Admin portal.

07 Repeat steps no. 3 – 6 for each Active Directory (AD) that you want to reconfigure in order to restrict security groups management to AD administrators only.

References

Publication date Aug 30, 2019

Related ActiveDirectory rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Allow Only Administrators to Manage Security Groups

Risk level: High