Microsoft Entra IDOverview
Restrict security group creation to administrators only.
Rationale
When creating security groups is enabled, all users in the directory are allowed to create new security groups and add members to those groups. Unless a business requires this day-to-day delegation, security group creation should be restricted to administrators only.
Impact
Enabling this setting could create many requests that would need to be managed by an administrator.
Default Value
By default, Users can create security groups in Azure portals, API or PowerShell is set to Yes.
Remediation guidance
From Azure Portal
- Open Groups | General
- Set
Users can create security groups in Azure portals, API or PowerShelltoNo.
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
Entra tenants allowing users to create security groups
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
authorizationPolicy: { defaultUserAllowedToCreateSecurityGroups: true }
}
) {
...AssetFragment
}
}
