Control: 1.16 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
Description
Restrict group creation to administrators only.
Self-service group management enables users to create and manage security groups or Office 365 groups in Azure Active Directory (Azure AD). Unless a business requires this day-to-day delegation for some users, self-service group management should be disabled.
Remediation
From Console
- Log in to Azure Active Directory
- Go to
Groups
- Go to
General
in setting section - Ensure that
Restrict user ability to access groups features
in the Access Pane is set to No
Note: By default, Restrict user ability to access groups features in the Access Pane is set to No.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v140_1_16
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v140_1_16 --share
SQL
This control uses a named query:
ad_manual_control