Ensure that "Users can create security groups in Azure portals" is set to "No" within your Microsoft Entra ID settings in order to make sure that non-privileged users are not able to create security groups via the Access Panel and the Azure administration portal.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Security Security groups are used to manage member and machine access to Azure shared resources for a group of users. When "Users can create security groups in Azure portals" feature is enabled, all users in your Microsoft Entra ID account are allowed to create new security groups and add members to those groups. Unless your business requires permission delegation, security group creation should be restricted to Microsoft Entra ID administrators only.
Audit
To determine if non-privileged users have the ability to create security groups in Azure portals, perform the following actions:
Note: Getting "Users can create security groups in Azure portals" configuration status using Microsoft Graph API or Azure CLI is not currently supported.Remediation / Resolution
By setting "Users can create security groups in Azure portals" to "No", only Azure Microsoft Entra ID administrators can create security groups, enhancing the access security to your Azure cloud resources. To disable the necessary setting, perform the following actions:
Note: Restricting security group creation to Microsoft Entra ID administrators only using Microsoft Graph API or Azure CLI is not currently supported.References
- Azure Official Documentation
- Set up self-service group management in Microsoft Entra ID
- CIS Microsoft Azure Foundations