1.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'

Information

Restrict security group creation to administrators only.

Rationale:

When creating security groups is enabled, all users in the directory are allowed to create new security groups and add members to those groups. Unless a business requires this day-to-day delegation, security group creation should be restricted to administrators only.

Impact:

Enabling this setting could create a number of requests that would need to be managed by an administrator.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From Azure Portal

From Azure Home select the Portal Menu

Select Azure Active Directory

Select Groups

Select General under Settings

Set Users can create security groups in Azure portals, API or PowerShell to No

Default Value:

By default, Users can create security groups in Azure portals, API or PowerShell is set to Yes

See Also

https://workbench.cisecurity.org/benchmarks/10624

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-6, 800-53|AC-6(1), 800-53|AC-6(7), 800-53|AU-9(4), CSCv7|14.6

Plugin: microsoft_azure

Control ID: 2621dfcaef014976bcae4b1048ce0d7a4485bce0f5a2f5b3d227dbe213d6eb80