|   Trend Micro Cloud One™
Open menu

Allow Only Administrators to Create Security Groups

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Risk level: High (not acceptable risk)
Rule ID: ActiveDirectory-017

Ensure that "Users can create security groups in Azure portals" is set to "No" within your Azure Active Directory settings in order to make sure that non-privileged users are not able to create security groups via the Access Panel and the Azure administration portal.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Security groups are used to manage member and machine access to Azure shared resources for a group of users. When "Users can create security groups in Azure portals" feature is enabled, all users in your Active Directory account are allowed to create new security groups and add members to those groups. Unless your business requires permission delegation, security group creation should be restricted to AD administrators only.

Audit

To determine if non-privileged users have the ability to create security groups in Azure portals, perform the following actions:

Note: Getting "Users can create security groups in Azure portals" configuration status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Groups.

04 In the Settings section, select General to access Active Directory user group general settings.

05 On the General settings page, under Security Groups, check Users can create security groups in Azure portals setting configuration. If the verified setting is set to Yes, any Active Directory users, including those without administrative privileges, can create security groups using the Access Panel and Azure administration portal, therefore the current Azure AD user group configuration is not compliant.

06 Repeat steps no. 3 – 5 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

By setting "Users can create security groups in Azure portals" to "No", only Azure Active Directory (AD) administrators can create security groups, enhancing the access security to your Azure cloud resources. To disable the necessary setting, perform the following actions:

Note: Restricting security group creation to Active Directory administrators only using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Groups.

04 In the Settingssection, select General to access Active Directory user group general settings.

05 On the General settings page, under Security Groups, select No next to Users can create security groups in Azure portals configuration setting to disable non-privileged users' ability to create security groups using Azure portals.

06 Click Save to apply the changes. If the request is successful, the following message should be displayed: "Successfully updated group settings". Once the configuration changes are active, only the Active Directory users with an administrator role can create security groups using the Access Panel and the Azure administration portal.

07 Repeat steps no. 3 – 6 for each Active Directory (AD) that you want to reconfigure in order to restrict security groups creation to AD administrators only.

References

Publication date Aug 30, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Allow Only Administrators to Create Security Groups

Risk level: High