Control: 5.1.3.2 Ensure users cannot create security groups
Description
This setting allows users in the organization to create new security groups and add members to these groups in the Azure portal, API, or PowerShell. These new groups also show up in the Access Panel for all other users. If the policy setting on the group allows it, other users can create requests to join these groups.
The recommended state is Users can create security groups in Azure portals, API or PowerShell set to No.
Remediation
To remediate using the UI:
- Navigate to
Microsoft Entra admin centerhttps://entra.microsoft.com/. - Click to expand
Entra ID>GroupsselectGeneral. - Set
Users can create security groups in Azure portals, API or PowerShelltoNo.
To remediate using PowerShell:
- Connect to Microsoft Graph using
Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization". - Run the following commands:
$params = @{defaultUserRolePermissions = @{AllowedToCreateSecurityGroups = $false}}Update-MgPolicyAuthorizationPolicy -BodyParameter $params
Default Value
AllowedToCreateSecurityGroups : True.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v600_5_1_3_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v600_5_1_3_2 --shareSQL
This control uses a named query:
select tenant_id || '/' || id as resource, case when not (default_user_role_permissions -> 'allowedToCreateSecurityGroups')::bool then 'ok' else 'alarm' end as status, case when not (default_user_role_permissions -> 'allowedToCreateSecurityGroups')::bool then tenant_id || ' users cannot create security groups.' else tenant_id || ' users can create security groups.' end as reason , tenant_id as tenant_idfrom azuread_authorization_policy;