Skip to main content

lacework-global-594

Set 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' to 'No' (Manual)

Profile Applicability

• Level 2

Description

Restrict Microsoft 365 group creation to administrators only.

Rationale

Restricting Microsoft 365 group creation to administrators only ensures that creation of Microsoft 365 groups is controlled by the administrator. Appropriate groups should be created and managed by the administrator and group creation rights should not be delegated to any other user.

Impact

Enabling this setting could create a number of requests that would need to be managed by an administrator.

Audit

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Azure Active Directory
  3. Then Groups
  4. Select General in setting
  5. Ensure that Users can create Microsoft 365 groups in Azure portals, API or PowerShell is set to No

Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security assessment for this recommendation.

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select Azure Active Directory.
  3. Select Groups.
  4. Select General under Settings.
  5. Set Users can create Microsoft 365 groups in Azure portals, API or PowerShell to No.

Please note that at this point in time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.

References

https://whitepages.unlimitedviz.com/2017/01/disable-office-365-groups-2/
https://support.office.com/en-us/article/Control-who-can-create-Office-365-Groups-4c46c8cb-17d0-44b5-9776-005fced8e618
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems