Ensure that "Owners who can assign members as group owners in Azure portals" is set to "None" in your Azure Active Directory settings in order to make sure that non-privileged users are not able to manage security groups via the Access Panel and the Azure Admin portal.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Restricting security group management to Active Directory administrators only, prohibits users from making changes to security groups. This ensures that security groups are managed solely by designated, authorized users within your Azure Active Directory account.
Audit
To determine if non-admin users have the ability to manage security groups in Azure portals, perform the following actions:
Note: Getting "Owners who can assign members as group owners in Azure portals" setting configuration status using Microsoft Graph API or Azure CLI is not currently supported.Remediation / Resolution
By setting "Owners who can assign members as group owners in Azure portals" to "None", only Azure Active Directory (AD) administrators can manage security groups, increasing the level of access security to your Azure cloud resources. To configure the necessary setting, perform the following actions:
Note: Restricting security group management to Active Directory administrators only using Microsoft Graph API or Azure CLI is not currently supported.References
- Azure Official Documentation
- Set up self-service group management in Azure Active Directory
- CIS Microsoft Azure Foundations
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
Allow Only Administrators to Manage Security Groups
Risk level: High