rules/findings/EntraID/Groups/CIS3.0/eid-users-can-create-m365-groups.json
|
{
"args": [ ], "provider": "EntraID", "serviceType": "Groups", "serviceName": "Microsoft Entra ID", "displayName": "Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'", "description": "Consider to limit that regular users the ability to create Microsoft 365 groups. When this settings is enabled, all users in the Microsoft Entra ID are allowed to create new Microsoft 365 groupd and add members to these groups.", "rationale": "Restricting Microsoft 365 group creation to administrators only ensures that creation of Microsoft 365 groups is controlled by the administrator. Appropriate groups should be created and managed by the administrator and group creation rights should not be delegated to any other use.", "impact": "Enabling this setting could create a number of request that would need to be managed by an administrator.", "remediation": { "text": "###### From Azure Console\r\n\t\t\t\t\t1. Go to `Microsoft Entra ID`\r\n\t\t\t\t\t2. Go to `Groups`\r\n\t\t\t\t\t3. Go to `General`\r\n\t\t\t\t\t4. Ensure that `Users can create Microsoft 365 groups in Azure Portals` is set to `No`", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups", "https://docs.microsoft.com/en-us/office365/admin/create-groups/manage-creation-of-groups", "https://whitepages.unlimitedviz.com/2017/01/disable-office-365-groups-2/", "https://support.office.com/en-us/article/Control-who-can-create-Office-365-Groups-4c46c8cb-17d0-44b5-9776-005fced8e618", "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy", "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy", "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users", "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management", "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems" ], "compliance": [ { "name": "CIS Microsoft Azure Foundations", "version": "3.0.0", "reference": "2.21", "profile": "Level 2" } ], "level": "medium", "tags": [ ], "rule": { "path": "aad_settings", "subPath": null, "selectCondition": { }, "query": [ { "filter": [ { "conditions": [ [ "templateId", "eq", "62375ab9-6b52-47ed-826b-58e47e0e304b" ], [ "properties.EnableGroupCreation", "eq", "True" ] ], "operator": "and" } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "objectId": "Object Id", "displayName": "Display Name", "usersCanRegisterApps": "Users can register apps", "restrictNonAdminUsers": "Restrict non-admin users", "office365GroupsEnabled": "Microsoft 365 group enabled" }, "expandObject": null }, "table": "asList", "decorate": [ ], "emphasis": [ "Microsoft 365 group enabled" ], "actions": { "objectData": { "properties": [ ], "expandObject": null, "limit": null }, "showGoToButton": null, "showModalButton": null, "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ ], "message": "Microsoft 365 group creation is not restricted", "defaultMessage": null }, "properties": { "resourceName": null, "resourceId": null, "resourceType": null }, "onlyStatus": false } }, "idSuffix": "eid_restrict_m365_group_creation_admins", "notes": [ ], "categories": [ ] } |