|   Trend Micro Cloud One™
Open menu

Disable Self-Service Group Management

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Risk level: High (should be achieved)
Rule ID: ActiveDirectory-016

Ensure that non-administrator users do not have the ability to create and manage security groups and Office 365 groups within your Azure Active Directory. Once self-service group management is disabled for non-admin users, these can't change their groups configuration anymore and can't manage their memberships by approving requests from other users to join their existing groups.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Self-service group management enables users to create and manage security groups or Office 365 groups in Azure Active Directory (AD). Self-service group management can also group owners to assign ownership to other users. Since these groups can grant access to sensitive and private information or Azure AD critical configuration, self-service group management feature should be disabled for all non-administrator users.

Audit

To determine if self-service group management is disabled within your Active Directory group settings, perform the following actions:

Note: Getting the self-service group management feature configuration status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Groups.

04 In the Settings section, select General to access Active Directory user group general settings.

05 On the General settings page, under Self Service Group Management, check the configuration for both Owners can manage group membership requests in the Access Panel and Restrict access to Groups in the Access Panel settings. If both these settings are set to Yes, the self-service group management feature is enabled for all Active Directory users (including non-administrator users), therefore the current Azure AD user group configuration is not compliant.

06 Repeat steps no. 3 – 5 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

By setting "Owners can manage group membership requests in the Access Panel" and "Restrict access to Groups in the Access Panel" options to "No", you disable self-service group management feature for non-admin users in your Azure Active Directory (AD). To disable the necessary settings, perform the following actions:

Note: Disabling self-service group management for non-admin users using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Groups.

04 In the Settings section, select General to access Active Directory user group general settings.

05 On the General settings page, under Self Service Group Management, select No next to both Owners can manage group membership requests in the Access Panel and Restrict access to Groups in the Access Panel settings to disable self-service group management feature for Active Directory non-administrator users.

06 Click Save to apply the changes. If the request is successful, the following message should be displayed: "Successfully updated group settings". Once the configuration changes are active, only the Active Directory users with an administrator role can access the user group features available on the Access Panel for creating and managing (including handling membership) security groups and Office 365 groups in the current directory.

07 Repeat steps no. 3 – 6 for each Active Directory (AD) that you want to reconfigure in order to disable self-service group management for non-administrator users.

References

Publication date Aug 30, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Disable Self-Service Group Management

Risk level: High