Skip to main content

lacework-global-593

Set 'Owners can manage group membership requests in the Access Panel' to 'No' (Manual)

Profile Applicability

• Level 2

Description

Restrict security group management to administrators only.

Rationale

Restricting security group management to administrators only prohibits users from making changes to security groups. This ensures that security groups are appropriately managed and their management is not delegated to non-administrators.

Impact

Group Membership for user accounts will need to be handled by Admins and cause administrative overhead.

Audit

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Azure Active Directory
  3. Then Groups
  4. Select General in settings
  5. Ensure that Owners can manage group membership requests in the Access Panel is set to No

Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security assessment for this recommendation.

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select Azure Active Directory.
  3. Select Groups.
  4. Select General under Settings.
  5. Set Owners can manage group membership requests in the Access Panel to No.

Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.

References

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management#making-a-group-available-for-end-user-self-service
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-8-choose-approval-process-for-microsoft-support
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy