Ensure that "Users can create Office 365 groups in Azure portals" is set to "No" within your Microsoft Entra ID settings in order to make sure that non-privileged users are not able to create Office 365 groups using the Access Panel and the Azure administration portal.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Security Depending on your business needs, you might want to control who has the ability to create Office 365 groups. When "Users can create Office 365 groups in Azure portals" feature is enabled, all users in your Microsoft Entra ID account are allowed to create new Office 365 groups and add members to those groups. Unless your business logic requires delegation to create groups, Office 365 group creation should be restricted to Microsoft Entra ID administrators only.
Audit
To determine if non-privileged users have the ability to create Microsoft Office 365 groups within Azure portals, perform the following actions:
Note: Retrieving the feature configuration status using Microsoft Graph API or Azure CLI is not currently supported.Remediation / Resolution
By setting "Users can create Office 365 groups in Azure portals" to "No", only Microsoft Entra ID administrators can create Office 365 groups. To disable the feature, perform the following actions:
Note: Restricting Office 365 group creation to Microsoft Entra ID administrators only using Microsoft Graph API or Azure CLI is not currently supported.References
- Azure Official Documentation
- Manage who can create Microsoft 365 Groups
- CIS Microsoft Azure Foundations
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Users Can Create Office 365 Groups
Risk Level: High