turbot/microsoft365_compliance

Control: 1.1.16 Ensure that only organizationally managed/approved public groups exist

Description

Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365. With Microsoft 365 Groups, you can give a group of people access to a collection of shared resources. While there are several different types of group types this recommendation is concerned with Microsoft 365 Groups.

In the Administration panel, when a group is created, the default privacy value is "Public".

Ensure that only organizationally managed and approved public groups exist. When a group has a "public" privacy, users may access data related to this group (e.g. SharePoint), through three methods:

  • By using the Azure portal, and adding themselves into the public group
  • By requesting access to the group from the Group application of the Access Panel
  • By accessing the SharePoint URL Administrators are notified when a user uses the Azure Portal. Requesting access to the group forces users to send a message to the group owner, but they still have immediately access to the group. The SharePoint URL is usually guessable, and can be found from the Group application of the Access Panel. If group privacy is not controlled, any user may access sensitive information, according to the group they try to access.

NOTE: Public in this case meaning public to the identities within organization.

Remediation

To enable only organizationally managed/approved public groups exist:

  1. Navigate to Microsoft 365 admin center https://admin.microsoft.com.
  2. Click to expand Teams & groups select Active teams & groups..
  3. On the Active teams and groups page, select the group's name that is public.
  4. On the popup groups name page, Select Settings.
  5. Under Privacy, select Private.

Default Value: Public when create from the Administration portal; private otherwise.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v200_1_1_16

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v200_1_1_16 --share

SQL

This control uses a named query:

azuread_group_not_public

Tags