Detections
Analytics

Ensure that members are always added for AzureAD Groups

LOW

Description

Empty AD groups should be removed as best practice, as it will reduce the complexity of an environment and allow for better monitoring. AD performance could also be affected with too many empty groups.

Remediation

In Azure Console -

  1. Open the Azure Portal and go to Azure Active Directory.
  2. Select Groups from the navigation bar.
  3. Choose a group from the list and validate that there are no users listed under Members.
  4. Return to the All Groups list and check that box of the group you wish to delete.
  5. Select Delete from the action bar.

In Terraform -

  1. Remove azuread_group resource entries that have no members listed.

References:
https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group

Policy Details

Rule Reference ID: AC_AZURE_0213
CSP: Azure
Remediation Available: Yes
Domain: Compliance Validation
Resource: azuread_group
Resource Category: Identity and Access Management (IAM)
Resource Type: AzureAD

Frameworks