Ensure that non-administrator users do not have the ability to create and manage security groups and Office 365 groups within your Microsoft Entra ID. Once self-service group management is disabled for non-admin users, these can't change their groups configuration anymore and can't manage their memberships by approving requests from other users to join their existing groups.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Security Self-service group management enables users to create and manage security groups or Office 365 groups in Microsoft Entra ID. Self-service group management can also group owners to assign ownership to other users. Since these groups can grant access to sensitive and private information or Microsoft Entra ID critical configuration, self-service group management feature should be disabled for all non-administrator users.
Audit
To determine if self-service group management is disabled within your Microsoft Entra ID group settings, perform the following actions:
Note: Getting the self-service group management feature configuration status using Microsoft Graph API or Azure CLI is not currently supported.Remediation / Resolution
By setting "Owners can manage group membership requests in the Access Panel" and "Restrict access to Groups in the Access Panel" options to "No", you disable self-service group management feature for non-admin users in your Microsoft Entra ID. To disable the necessary settings, perform the following actions:
Note: Disabling self-service group management for non-admin users using Microsoft Graph API or Azure CLI is not currently supported.References
- Azure Official Documentation
- Set up self-service group management in Microsoft Entra ID
- CIS Microsoft Azure Foundations