Skip to main content

lacework-global-592

1.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' (Manual)

Profile Applicability

• Level 2

Description

Restrict security group creation to administrators only.

Rationale

When creating security groups is enabled, all users in the directory are allowed to create new security groups and add members to those groups. Unless a business requires this day-to-day delegation, security group creation should be restricted to administrators only.

Impact

Enabling this setting could create a number of requests that would need to be managed by an administrator.

Audit

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Groups
  3. Then General in setting
  4. Ensure that Users can create security groups in Azure portals, API or PowerShell is set to No

Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security assessment for this recommendation.

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Azure Active Directory
  3. Then Groups
  4. Select General in setting
  5. Set Users can create security groups in Azure portals, API or PowerShell to No

Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.

References

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management#making-a-group-available-for-end-user-self-service
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-2-define-enterprise-segmentation-strategy
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems