Ensure that "Owners who can assign members as group owners in Azure portals" is set to "None" in your Microsoft Entra ID settings in order to make sure that non-privileged users are not able to manage security groups via the Access Panel and the Azure Admin portal.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Security Restricting security group management to Microsoft Entra ID administrators only, prohibits users from making changes to security groups. This ensures that security groups are managed solely by designated, authorized users within your Microsoft Entra ID account.
Audit
To determine if non-admin users have the ability to manage security groups in Azure portals, perform the following actions:
Note: Getting "Owners who can assign members as group owners in Azure portals" setting configuration status using Microsoft Graph API or Azure CLI is not currently supported.Remediation / Resolution
By setting "Owners who can assign members as group owners in Azure portals" to "None", only Azure Microsoft Entra ID administrators can manage security groups, increasing the level of access security to your Azure cloud resources. To configure the necessary setting, perform the following actions:
Note: Restricting security group management to Microsoft Entra ID administrators only using Microsoft Graph API or Azure CLI is not currently supported.References
- Azure Official Documentation
- Set up self-service group management in Microsoft Entra ID
- CIS Microsoft Azure Foundations