Microsoft Entra IDOverview
Restrict Microsoft 365 group creation to administrators only.
Rationale
Restricting Microsoft 365 group creation to administrators only ensures that the administrator controls the creation of Microsoft 365 groups. Appropriate groups should be created and managed by the administrator, and group creation rights should not be delegated to any other user.
Impact
Enabling this setting could create several requests that would need to be managed by an administrator.
Default Value
By default, Users can create Microsoft 365 groups in Azure portals, API or PowerShell is set to Yes.
Remediation guidance
From Azure Portal
- Open Groups | General
- Set
Users can create Microsoft 365 groups in Azure portals, API or PowerShelltoNo.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Microsoft Entra ID
Use tenant-wide Conditional Access, role settings, authentication policies, and identity governance baselines so the control is enforced centrally.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Entra Tenants allowing Microsoft 365 group creation
Connectors
Covered asset types
Expected check: eq []
{
connectors(where: { groupUnifiedSettings: { enableGroupCreation: true } }) {
...AssetFragment
}
}
