1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'

Information

Restricts group creation to administrators with permissions only.

Rationale:

Self-service group management enables users to create and manage security groups or Office 365 groups in Azure Active Directory (Azure AD). Unless a business requires this day-to-day delegation for some users, self-service group management should be disabled.

Impact:

Setting to Yes could create administrative overhead by customers seeking certain group memberships that will have to be manually managed by administrators with appropriate permissions.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From Azure Portal

From Azure Home select the Portal Menu

Select Azure Active Directory

Select Groups

Select General under Settings

Ensure that Restrict user ability to access groups features in the Access Panel is set to Yes

Default Value:

By default, Restrict user ability to access groups features in the Access Pane is set to No

See Also

https://workbench.cisecurity.org/benchmarks/10624

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-6, 800-53|AC-6(1), 800-53|AC-6(7), 800-53|AU-9(4), CSCv7|14.6

Plugin: microsoft_azure

Control ID: 110077befd7cc25a6849575e7fb32a327e31813fc08f04684c370a74222de3ab