2.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'

Information

Restrict access to group web interface in the Access Panel portal.

Rationale:

Self-service group management enables users to create and manage security groups or Office 365 groups in Microsoft Entra ID. Unless a business requires this day-to-day delegation for some users, self-service group management should be disabled. Any user can access the Access Panel, where they can reset their passwords, view their information, etc. By default, users are also allowed to access the Group feature, which shows groups, members, related resources (SharePoint URL, Group email address, Yammer URL, and Teams URL). By setting this feature to 'Yes', users will no longer have access to the web interface, but still have access to the data using the API. This is useful to prevent non-technical users from enumerating groups-related information, but technical users will still be able to access this information using APIs.

Impact:

Setting to Yes could create administrative overhead by customers seeking certain group memberships that will have to be manually managed by administrators with appropriate permissions.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Remediate from Azure Portal

From Azure Home select the Portal Menu

Select Microsoft Entra ID

Under Manage, select Groups

Under Settings, select General

Under Self Service Group Management, set Restrict user ability to access groups features in My Groups to Yes

Click Save

Default Value:

By default, Restrict user ability to access groups features in the Access Pane is set to No

See Also

https://workbench.cisecurity.org/benchmarks/16820

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-6, 800-53|AC-6(1), 800-53|AC-6(7), 800-53|AU-9(4), CSCv7|14.6

Plugin: microsoft_azure

Control ID: 1fddfa995b14eb6d766e386f6f768b1137c5aceef95b5084077c4505399747f1