Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
6Dashboards
126Benchmarks
36Queries
2Variables
GitHub

Control: 1.2.1 Ensure that only organizationally managed/approved public groups exist

Description

Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365. With Microsoft 365 Groups, you can give a group of people access to a collection of shared resources. While there are several different group types this recommendation concerns Microsoft 365 Groups.

In the Administration panel, when a group is created, the default privacy value is "Public".

Remediation

To remediate using the UI:

  1. Navigate to Microsoft 365 admin center https://admin.microsoft.com.
  2. Click to expand Teams & groups select Active teams & groups.
  3. On the Active teams and groups page, select the group's name that is public.
  4. On the popup groups name page, Select Settings.
  5. Under Privacy, select Private.

Default Value

Public when created from the Administration portal; private otherwise.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v500_1_2_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v500_1_2_1 --share

SQL

This control uses a named query:

select
  id as resource,
  case
    when visibility = 'Public' then 'alarm'
    else 'ok'
  end status,
  case
    when visibility = 'Public' then title || ' is public.'
    else title || ' is not public.'
  end reason
  
  , tenant_id as tenant_id
from
  azuread_group;

Tags

category = Compliance
cis = true
cis_item_id = 1.2.1
cis_level = 2
cis_section_id = 1.2
cis_type = automated
cis_version = v5.0.0
microsoft_365_license = E3,E5
plugin = microsoft365
service = Azure/ActiveDirectory