Logo of Trend Micro

Restrict Office 365 Group Creation to Administrators Only

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: ActiveDirectory-019

Ensure that "Users can create Office 365 groups in Azure portals" is set to "No" within your Azure Active Directory settings in order to make sure that non-privileged users are not able to create Office 365 groups using the Access Panel and the Azure administration portal.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Depending on your business needs, you might want to control who has the ability to create Office 365 groups. When "Users can create Office 365 groups in Azure portals" feature is enabled, all users in your Active Directory account are allowed to create new Office 365 groups and add members to those groups. Unless your business logic requires delegation to create groups, Office 365 group creation should be restricted to Active Directory administrators only.

Audit

To determine if non-privileged users have the ability to create Microsoft Office 365 groups within Azure portals, perform the following actions:

Note: Retrieving the feature configuration status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Groups.

04 In the Settings section, select General to access Active Directory user group general settings.

05 On the General settings page, under Office 365 Groups, check Users can create Office 365 groups in Azure portals setting configuration. If the verified setting is set to Yes, any Active Directory users, including users without administrative roles, can create Office 365 groups using the Access Panel and the Azure administration portal, thus the current Azure AD group configuration is not compliant.

06 Repeat steps no. 3 – 5 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

By setting "Users can create Office 365 groups in Azure portals" to "No", only Azure Active Directory (AD) administrators can create Office 365 groups. To disable the feature, perform the following actions:

Note: Restricting Office 365 group creation to Active Directory administrators only using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Groups.

04 In the Settingssection, select General to access Active Directory user group general settings.

05 On the General settings page, under Security Groups, select No next to Users can create Office 365 groups in Azure portals configuration setting to disable the ability to create Office 365 groups for non-privileged users.

06 Click Save to apply the changes. If the request is successful, the following message should be displayed: "Successfully updated group settings". Once the configuration changes are active, only Active Directory users with administration roles can create Office 365 groups using the Access Panel and the Azure administration portal.

07 Repeat steps no. 3 – 6 for each Active Directory (AD) that you want to reconfigure in order to restrict Office 365 groups creation to AD administrators only.

References

Publication date Aug 30, 2019

Related ActiveDirectory rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Restrict Office 365 Group Creation to Administrators Only

Risk level: High