Users can create security groups in Azure portals, API or PowerShell

Best practices

Users can create security groups in Azure portals, API or PowerShell

Risk Level

Informational (4)

Platform(s)

Compliance Frameworks

Azure CIS
Brazilian General Data Protection (LGPD)
CCPA
CPRA
Data Security Posture Management (DSPM) Best Practices
essential_8_au
ISO/IEC 27001
Mitre ATT&CK
mpa
New Zealand Information Security Manual
NIST 800-171
NIST 800-53
PDPA
UK Cyber Essentials

Description

'User settings' is default configurations of consent and permissions for all tenant users. It was detected that users can create security groups. When creating security groups permission is enabled, all users in the directory are allowed to create new security groups and add members to those groups. Unless a business requires this day-to-day delegation, security group creation should be restricted to administrators only.

Recommended Mitigation

It is recommended to restrict security group creation to administrators only. For more information: <a href="https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-self-service-management" target="_blank" rel="noopener noreferrer">https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-self-service-management</a>

Users can create security groups in Azure portals, API or PowerShell

Description

Need help?

CLOUD SECURITY PLATFORM

TECHNOLOGY ECOSYSTEM

By Solution

By Industry

COMPARISONS