Microsoft Entra IDOverview
Restrict security group creation to administrators only.
Rationale
When creating security groups is enabled, all users in the directory are allowed to create new security groups and add members to those groups. Unless a business requires this day-to-day delegation, security group creation should be restricted to administrators only.
Impact
Enabling this setting could create many requests that would need to be managed by an administrator.
Default Value
By default, Users can create security groups in Azure portals, API or PowerShell is set to Yes.
Remediation guidance
From Azure Portal
- Open Groups | General
- Set
Users can create security groups in Azure portals, API or PowerShelltoNo.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Microsoft Entra ID
Use tenant-wide Conditional Access, role settings, authentication policies, and identity governance baselines so the control is enforced centrally.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Entra tenants allowing users to create security groups
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
authorizationPolicy: { defaultUserAllowedToCreateSecurityGroups: true }
}
) {
...AssetFragment
}
}
