Skip to main content

Description

Restrict Microsoft 365 group creation to administrators only.

Rationale

Restricting Microsoft 365 group creation to administrators only ensures that creation of Microsoft 365 groups is controlled by the administrator. Appropriate groups should be created and managed by the administrator and group creation rights should not be delegated to any other user.

Impact

Enabling this setting could create a number of requests that would need to be managed by an administrator.

Audit

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Entra ID.
  3. Under Manage, select Groups.
  4. Under Settings, select General.
  5. Under Microsoft 365 Groups, ensure that Users can create Microsoft 365 groups in Azure portals, API or PowerShell is set to No.

Default Value

By default, Users can create Microsoft 365 groups in Azure portals, API or PowerShell is set to Yes.

References

  1. https://learn.microsoft.com/en-us/microsoft-365/solutions/manage-creation-of-groups?view=o365-worldwide&redirectSourcePath=%252fen-us%252farticle%252fControl-who-can-create-Office-365-Groups-4c46c8cb-17d0-44b5-9776-005fced8e618
  2. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy
  3. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-2-define-and-implement-enterprise-segmentationseparation-of-duties-strategy
  4. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-1-separate-and-limit-highly-privilegedadministrative-users
  5. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-3-manage-lifecycle-of-identities-and-entitlements