Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'

Restrict security group creation to administrators only.

Suggest Edits

Risk Level: Low
Cloud Entity: AD Authorization Policy
CloudGuard Rule ID: D9.AZU.IAM.43
Covered by Spectral: No
Category: Active Directory

GSL LOGIC

ADAuthorizationPolicy should not have defaultUserRolePermissions.allowedToCreateSecurityGroups=true

REMEDIATION

From Portal:

  1. Go to Azure Active Directory.
  2. Go to Groups.
  3. Go to 'General' in Settings.
  4. Set 'Users can create security groups in Azure portals, API or PowerShell' to No.
  5. Click Save.

Note: Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.

References:

  1. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management#making-a-group-available-for-end-user-self-service
  2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy
  3. https://workbench.cisecurity.org/sections/722878/recommendations/1182646

AD Authorization Policy

Represents a policy that can control Azure Active Directory authorization settings.

Compliance Frameworks

  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset

Updated 7 months ago