Ensure that "Owners who can assign members as group owners in Azure portals" policy is set to "None" within your Azure Active Directory settings in order to make sure that non-privileged users are not able to manage Office 365 groups via the Access Panel and the Azure Admin portal. By default, all owners can assign other members as group owners in Azure Active Directory.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
Depending on your business requirements, you can use Azure Active Directory settings to achieve more granular access control over self-service group management for your users. Restricting Office 365 group management to Active Directory administrators only, prohibits users from making any changes to this type of groups. This ensures that Office 365 groups management is not delegated to unauthorized users.
Audit
To determine if non-administrator users have the ability to manage Office 365 groups in Azure portals, perform the following actions:
Note: Retrieving "Owners who can assign members as group owners in Azure portals" setting configuration status using Microsoft Graph API or Azure CLI is not currently supported.Remediation / Resolution
By setting "Owners who can assign members as group owners in Azure portals" to "None", only Azure Active Directory (AD) administrators can manage Office 365 groups, improving the access security to your Azure cloud resources. To configure the necessary setting, perform the following actions:
Note: Restricting Office 365 group management to Active Directory administrators only using Microsoft Graph API or Azure CLI is not currently supported.References
- Azure Official Documentation
- Manage who can create Office 365 Groups
- CIS Microsoft Azure Foundations
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Allow Only Administrators to Manage Office 365 Groups
Risk level: High