Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'

Restrict security group creation to administrators only.

Risk Level: Low
Cloud Entity: AD Authorization Policy
CloudGuard Rule ID: D9.AZU.IAM.43
Covered by Spectral: No
Category: Active Directory


ADAuthorizationPolicy should not have defaultUserRolePermissions.allowedToCreateSecurityGroups=true


From Portal:

  1. Go to Azure Active Directory.
  2. Go to Groups.
  3. Go to 'General' in Settings.
  4. Set 'Users can create security groups in Azure portals, API or PowerShell' to No.
  5. Click Save.

Note: Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.


  1. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management#making-a-group-available-for-end-user-self-service
  2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy
  3. https://workbench.cisecurity.org/sections/722878/recommendations/1182646

AD Authorization Policy

Represents a policy that can control Azure Active Directory authorization settings.

Compliance Frameworks

  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset