Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
Restrict security group creation to administrators only.
Risk Level: Low
Cloud Entity: AD Authorization Policy
CloudGuard Rule ID: D9.AZU.IAM.43
Covered by Spectral: No
Category: Active Directory
GSL LOGIC
ADAuthorizationPolicy should not have defaultUserRolePermissions.allowedToCreateSecurityGroups=true
REMEDIATION
From Portal:
- Go to Azure Active Directory.
- Go to Groups.
- Go to 'General' in Settings.
- Set 'Users can create security groups in Azure portals, API or PowerShell' to No.
- Click Save.
Note: Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.
References:
- https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management#making-a-group-available-for-end-user-self-service
- https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy
- https://workbench.cisecurity.org/sections/722878/recommendations/1182646
AD Authorization Policy
Represents a policy that can control Azure Active Directory authorization settings.
Compliance Frameworks
- Azure CIS Foundations v. 1.2.0
- Azure CIS Foundations v. 1.3.0
- Azure CIS Foundations v. 1.3.1
- Azure CIS Foundations v. 1.4.0
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago
Did this page help you?