1.1.12 Ensure that only organizationally managed/approved public groups exist

Information

Ensure that only organizationally managed and approved public groups exist.

Rationale:

In the Microsoft 365 Administration panel, when a group is created, the default privacy value is 'Public'. Make sure that public groups are willfully created. When a group has a 'public' privacy, users may access data related to this group (e.g. SharePoint), through three methods :

By using the Azure portal, and adding themselves into the public group. In this case, administrators are not notified. By requiring access to the group from the Group application of the Access Panel. This method forces users to send a message to the group owner, but they still have immediately access to the group. By accessing the SharePoint URL. The SharePoint URL is usually guessable, and can be found from the Group application of the Access Panel. If group privacy is not controlled, any user may access sensitive information, according to the group they try to access.

NOTE: Public in this case meaning public to the organization.

Impact:

If the recommendation is applied, group owners could receive more access requests than usual, especially regarding groups originally meant to be public.

Solution

In the Microsoft 365 Administration portal, go to:

Teams & groups

Active teams & groups

Select a Public group

Go to 'Settings'

Set Privacy to 'Private'

Default Value:

Public when create from the Administration portal; private otherwise.

See Also

https://workbench.cisecurity.org/files/3729

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|AU-11, 800-53|MP-2, 800-53|SI-12, CSCv7|13.1

Plugin: microsoft_azure

Control ID: d92b7a7142341691658a8db771704fe32300fe71702767f56e98b3cffdf3ae9f