Enable All Users Group

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features

Knowledge Base Microsoft Azure Active Directory Enable All Users Group

Risk level: Medium (should be achieved)

Rule ID: ActiveDirectory-021

Ensure that "Enable an 'All Users' group in the directory" policy is set to "Yes" in your Azure Active Directory (AD) settings in order to enable the "All Users" group for centralized access administration. This group represents the entire collection of the Active Directory users, including guests and external users, that you can use to make the access permissions easier to manage within your directory.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

The "All Users" group can be used to assign the same permissions to all the users within an Azure Active Directory account. For example, all users in a directory can be given access to a SaaS application by assigning a specific set of permissions that allows application access to the "All Users" dedicated group. This ensures that there is a common policy created for all the existing and future users and there is no need to implement individual access permissions.

Audit

To determine if "All Users" group is enabled for centralized administration in your Azure AD directory, perform the following actions:

Note: Getting "Enable an All Users group in the directory" feature configuration status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Groups.

04 In the Settings section, select General to access Active Directory user group general settings.

05 On the General settings page, under Directory-wide Groups, check Enable an "All Users" group in the directory feature configuration. If Enable an "All Users" group in the directory is set to No, the "All Users" dedicated group, necessary for centralized administration, in not enabled in your current Active Directory account.

06 Repeat steps no. 3 – 5 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

By setting "Enable an All Users group in the directory" to "Yes", a single group can be used to assign the same permissions to all the available AD users, which can be really helpful for implementing centralized access management inside your Active Directory account. To enable the feature, perform the following actions:

Note: Activating "Enable an All Users group in the directory" feature using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Groups.

04 In the Settings section, select General to access Active Directory user group general settings.

05 On the General settings page, under Directory-wide Groups, select Yes next to Enable an "All Users" group in the directory configuration setting to enable the dedicated "All Users" group that combines all users available in your directory, including guests and external users.

06 Click Save to apply the changes. If successful, the following message should be displayed: "Successfully updated group settings". Once the configuration changes are saved, the specialized "All Users" group can be used for centralized access administration in your current Active Directory account.

07 Repeat steps no. 3 – 6 for each Active Directory (AD) that you want to reconfigure in order to enable the dedicated "All Users" group.