monkey365

0.95.1

rules/findings/EntraID/Groups/CIS3.0/eid-owners-can-manage-group-membership-enabled.json

{
  "args": [
     
  ],
  "provider": "EntraID",
  "serviceType": "Groups",
  "serviceName": "Microsoft Entra ID",
  "displayName": "Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'",
  "description": "Consider to prevent that regular users can manage security groups.",
  "rationale": "Restricting security group management to administrators only prohibits users from making changes to security groups. This ensures that security groups are appropriately managed and their management is not delegated to non-administrators.",
  "impact": null,
  "remediation": {
    "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t2. Go to `Groups`\r\n\t\t\t\t\t3. Go to `General`\r\n\t\t\t\t\t4. Ensure that `Owners can manage group membership requests in the Access Panel` is set to `No`",
    "code": {
      "powerShell": null,
      "iac": null,
      "terraform": null,
      "other": null
    }
  },
  "recommendation": null,
  "references": [
    "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management#making-a-group-available-for-end-user-self-service",
    "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users",
    "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management",
    "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-8-choose-approval-process-for-microsoft-support",
    "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy",
    "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy"
  ],
  "compliance": [
    {
      "name": "CIS Microsoft Azure Foundations",
      "version": "3.0.0",
      "reference": "2.20",
      "profile":"Level 2"
    }
  ],
  "level": "medium",
  "tags": [
     
  ],
  "rule": {
    "path": "aad_group_settings",
    "subPath": null,
    "selectCondition": {
       
    },
    "query": [
      {
        "filter": [
          {
            "conditions": [
              [
                "selfServiceGroupManagementEnabled",
                "eq",
                "True"
              ]
            ]
          }
        ]
      }
    ],
    "shouldExist": null,
    "returnObject": null,
    "removeIfNotExists": null
  },
  "output": {
    "html": {
      "data": {
        "properties": {
           
        },
        "expandObject": null
      },
      "table": null,
      "decorate": [
         
      ],
      "emphasis": [
         
      ],
      "actions": {
        "objectData": {
          "properties": [
            "*"
          ],
          "expandObject": null,
          "limit": null
        },
        "showGoToButton": false,
        "showModalButton": false,
        "directLink": null
      }
    },
    "text": {
      "data": {
        "properties": {
           
        },
        "expandObject": null
      },
      "status": {
        "keyName": [
           
        ],
        "message": "Owners can manage group membership requests",
        "defaultMessage": null
      },
      "properties": {
        "resourceName": null,
        "resourceId": null,
        "resourceType": null
      },
      "onlyStatus": false
    }
  },
  "idSuffix": "eid_security_group_management_not_restricted",
  "notes": [
     
  ],
  "categories": [
     
  ]
}