Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Restrict User Access to Microsoft Entra Group Features in Azure Access Panel

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ActiveDirectory-023

Ensure that the "Restrict user ability to access groups features in the Access Panel" setting is set to "Yes" within your Microsoft Entra ID configuration in order to make sure that non-privileged users are not able to create and manage security groups using the Azure Access Panel.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Security groups are used to manage member and machine access to Microsoft Azure cloud resources for a group of users. When the "Restrict user ability to access groups features in the Access Panel" setting is not enabled, all the users within your Microsoft Entra ID account are allowed to create new security groups and add members to those groups. Because security groups can grant access to sensitive and private data or critical configuration information, security group creation and management should be restricted to Microsoft Entra ID administrators only (unless your business requires permission delegation).

Audit

To determine if non-privileged users have the ability to access group features within Azure Access Panel, perform the following operations:

Note: Getting "Restrict user ability to access groups features in the Access Panel" configuration status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the blade navigation panel, under Manage, select Groups.

04 In the left navigation panel, under Settings, choose General to access the general settings available for the Microsoft Entra ID user groups.

05 Under Self Service Group Management, check the Restrict user ability to access groups features in the Access Panel. Group and User Admin will have read-only access when the value of this setting is 'Yes' configuration setting status. If the setting status is set to No, any Microsoft Entra ID users can access the Microsoft Entra ID user group features available in the Access Panel, therefore the existing access configuration is not compliant.

06 Repeat steps no. 3 – 5 for each Microsoft Microsoft Entra ID that you want to examine.

Remediation / Resolution

By setting "Restrict user ability to access groups features in the Access Panel" to "Yes", only Global Administrators can access Microsoft Entra group features in the Access Panel, enhancing the access security to your Microsoft Entra ID resources. To disable the setting, perform the following actions:

Note: Restricting user access to Microsoft Entra group features in the Access Panel using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the blade navigation panel, under Manage, select Groups.

04 In the left navigation panel, under Settings, choose General to access the general settings available for the Microsoft Entra ID user groups.

05 Under Self Service Group Management, select Yes next to Restrict user ability to access groups features in the Access Panel. Group and User Admin will have read-only access when the value of this setting is 'Yes' to disable the non-privileged user's ability to access Microsoft Entra group features in the Access Panel. Choose Save to apply the changes. If the request is successful, the following message should be displayed: "Successfully updated group settings". Global Admins will have access to the Access Panel regardless of the status of this setting.

06 Repeat steps no. 3 – 5 for each Microsoft Microsoft Entra ID that you want to reconfigure in order to secure the access to your Microsoft Entra ID resources.

References

Publication date Sep 19, 2021

Related ActiveDirectory rules