InformationEnsure that only organizationally managed and approved public groups exist.
In the Microsoft 365 Administration panel, when a group is created, the default privacy value is 'Public'. Make sure that public groups are willfully created. When a group has a 'public' privacy, users may access data related to this group (e.g. SharePoint), through three methods :
By using the Azure portal, and adding themselves into the public group. In this case, administrators are not notified. By requiring access to the group from the Group application of the Access Panel. This method forces users to send a message to the group owner, but they still have immediately access to the group. By accessing the SharePoint URL. The SharePoint URL is usually guessable, and can be found from the Group application of the Access Panel. If group privacy is not controlled, any user may access sensitive information, according to the group they try to access.
NOTE: Public in this case meaning public to the organization.
If the recommendation is applied, group owners could receive more access requests than usual, especially regarding groups originally meant to be public.
SolutionIn the Microsoft 365 Administration portal, go to:
Teams & groups
Active teams & groups
Select a Public group
Go to 'Settings'
Set Privacy to 'Private'
Public when create from the Administration portal; private otherwise.