Microsoft Entra IDOverview
Restrict Microsoft 365 group creation to administrators only.
Rationale
Restricting Microsoft 365 group creation to administrators only ensures that the administrator controls the creation of Microsoft 365 groups. Appropriate groups should be created and managed by the administrator, and group creation rights should not be delegated to any other user.
Impact
Enabling this setting could create several requests that would need to be managed by an administrator.
Default Value
By default, Users can create Microsoft 365 groups in Azure portals, API or PowerShell is set to Yes.
Remediation guidance
From Azure Portal
- Open Groups | General
- Set
Users can create Microsoft 365 groups in Azure portals, API or PowerShelltoNo.
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
Entra Tenants allowing Microsoft 365 group creation
Connectors
Covered asset types
Expected check: eq []
{
connectors(where: { groupUnifiedSettings: { enableGroupCreation: true } }) {
...AssetFragment
}
}
