Ensure that "Owners who can assign members as group owners in Azure portals" is set to "None" in your Azure Active Directory settings in order to make sure that non-privileged users are not able to manage security groups via the Access Panel and the Azure Admin portal.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
Restricting security group management to Active Directory administrators only, prohibits users from making changes to security groups. This ensures that security groups are managed solely by designated, authorized users within your Azure Active Directory account.
Audit
To determine if non-admin users have the ability to manage security groups in Azure portals, perform the following actions:
Note: Getting "Owners who can assign members as group owners in Azure portals" setting configuration status using Microsoft Graph API or Azure CLI is not currently supported.Remediation / Resolution
By setting "Owners who can assign members as group owners in Azure portals" to "None", only Azure Active Directory (AD) administrators can manage security groups, increasing the level of access security to your Azure cloud resources. To configure the necessary setting, perform the following actions:
Note: Restricting security group management to Active Directory administrators only using Microsoft Graph API or Azure CLI is not currently supported.References
- Azure Official Documentation
- Set up self-service group management in Azure Active Directory
- CIS Microsoft Azure Foundations
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Allow Only Administrators to Manage Security Groups
Risk level: High