|   Trend Micro Cloud One™
Open menu

Allow Only Administrators to Manage Office 365 Groups

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Knowledge Base Microsoft Azure Active Directory Allow Only Administrators to Manage Office 365 Groups
Risk level: High (should be achieved)
Rule ID: ActiveDirectory-020

Ensure that "Owners who can assign members as group owners in Azure portals" policy is set to "None" within your Azure Active Directory settings in order to make sure that non-privileged users are not able to manage Office 365 groups via the Access Panel and the Azure Admin portal. By default, all owners can assign other members as group owners in Azure Active Directory.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Depending on your business requirements, you can use Azure Active Directory settings to achieve more granular access control over self-service group management for your users. Restricting Office 365 group management to Active Directory administrators only, prohibits users from making any changes to this type of groups. This ensures that Office 365 groups management is not delegated to unauthorized users.

Audit

To determine if non-administrator users have the ability to manage Office 365 groups in Azure portals, perform the following actions:

Note: Retrieving "Owners who can assign members as group owners in Azure portals" setting configuration status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Groups.

04 In the Settings section, select General to access Active Directory user group general settings.

05 On the General settings page, under Office 365 Groups, check Owners who can assign members as group owners in Azure portals setting configuration. If Owners who can assign members as group owners in Azure portals is set to All or Selected (i.e. the list of users selected to manage Office 365 groups), there are Active Directory users, including users without administrative privileges, that can manage Office 365 groups using the Access Panel and the Azure Admin portal.

06 Repeat steps no. 3 – 5 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

By setting "Owners who can assign members as group owners in Azure portals" to "None", only Azure Active Directory (AD) administrators can manage Office 365 groups, improving the access security to your Azure cloud resources. To configure the necessary setting, perform the following actions:

Note: Restricting Office 365 group management to Active Directory administrators only using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Groups.

04 In the Settings section, select General to access Active Directory user group general settings.

05 On the General settings page, under Office 365 Groups, select None next to Owners who can assign members as group owners in Azure portals configuration setting to disable the non-privileged users' ability to manage Office 365 groups using Azure portals.

06 Click Save to apply the changes. If successful, the following message should be displayed: "Successfully updated group settings". Once the configuration changes are saved, only the Active Directory administrators can manage Microsoft Office 365 groups using the Access Panel and the Azure Admin portal.

07 Repeat steps no. 3 – 6 for each Active Directory (AD) that you want to reconfigure in order to restrict Office 365 groups management to AD administrators only.

References

Publication date Aug 30, 2019

Related ActiveDirectory rules

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base

Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Allow Only Administrators to Manage Office 365 Groups

Risk level: High