Disable Self-Service Group Management

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (should be achieved)
Rule ID: ActiveDirectory-016

Ensure that non-administrator users do not have the ability to create and manage security groups and Office 365 groups within your Azure Active Directory. Once self-service group management is disabled for non-admin users, these can't change their groups configuration anymore and can't manage their memberships by approving requests from other users to join their existing groups.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Self-service group management enables users to create and manage security groups or Office 365 groups in Azure Active Directory (AD). Self-service group management can also group owners to assign ownership to other users. Since these groups can grant access to sensitive and private information or Azure AD critical configuration, self-service group management feature should be disabled for all non-administrator users.


Audit

To determine if self-service group management is disabled within your Active Directory group settings, perform the following actions:

Note: Getting the self-service group management feature configuration status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Groups.

04 In the Settings section, select General to access Active Directory user group general settings.

05 On the General settings page, under Self Service Group Management, check the configuration for both Owners can manage group membership requests in the Access Panel and Restrict access to Groups in the Access Panel settings. If both these settings are set to Yes, the self-service group management feature is enabled for all Active Directory users (including non-administrator users), therefore the current Azure AD user group configuration is not compliant.

06 Repeat steps no. 3 – 5 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

By setting "Owners can manage group membership requests in the Access Panel" and "Restrict access to Groups in the Access Panel" options to "No", you disable self-service group management feature for non-admin users in your Azure Active Directory (AD). To disable the necessary settings, perform the following actions:

Note: Disabling self-service group management for non-admin users using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Groups.

04 In the Settings section, select General to access Active Directory user group general settings.

05 On the General settings page, under Self Service Group Management, select No next to both Owners can manage group membership requests in the Access Panel and Restrict access to Groups in the Access Panel settings to disable self-service group management feature for Active Directory non-administrator users.

06 Click Save to apply the changes. If the request is successful, the following message should be displayed: "Successfully updated group settings". Once the configuration changes are active, only the Active Directory users with an administrator role can access the user group features available on the Access Panel for creating and managing (including handling membership) security groups and Office 365 groups in the current directory.

07 Repeat steps no. 3 – 6 for each Active Directory (AD) that you want to reconfigure in order to disable self-service group management for non-administrator users.

References

Publication date Aug 30, 2019

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Disable Self-Service Group Management

Risk level: High