Ensure that "Enable an 'All Users' group in the directory" policy is set to "Yes" in your Microsoft Entra ID settings in order to enable the "All Users" group for centralized access administration. This group represents the entire collection of the Microsoft Entra ID users, including guests and external users, that you can use to make the access permissions easier to manage within your directory.
Security The "All Users" group can be used to assign the same permissions to all the users within an Microsoft Entra ID account. For example, all users in a directory can be given access to a SaaS application by assigning a specific set of permissions that allows application access to the "All Users" dedicated group. This ensures that there is a common policy created for all the existing and future users and there is no need to implement individual access permissions.
Audit
To determine if "All Users" group is enabled for centralized administration in your Microsoft Entra ID directory, perform the following actions:
Note: Getting "Enable an 'All Users' group in the directory" feature configuration status using Microsoft Graph API or Azure CLI is not currently supported.Remediation / Resolution
By setting "Enable an 'All Users' group in the directory" to "Yes", a single group can be used to assign the same permissions to all the available Microsoft Entra ID users, which can be really helpful for implementing centralized access management inside your Microsoft Entra ID account. To enable the feature, perform the following actions:
Note: Activating "Enable an 'All Users' group in the directory" feature using Microsoft Graph API or Azure CLI is not currently supported.References
- Azure Official Documentation
- Manage Microsoft Entra groups and group membership
- CIS Microsoft Azure Foundations