Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'

Why This Matters

When all users in your directory can create security groups, it introduces significant operational risk. Unauthorized groups may bypass access controls, complicate audit trails, and lead to unmanaged permissions that attackers could exploit. Restricting this capability to administrators only ensures consistent governance and reduces the attack surface.

What Aether365 Checks

This check verifies that the Microsoft Entra ID setting "Users can create security groups in Azure portals, API or PowerShell" is set to "No". It appears in your Aether365 dashboard under the entra-id checks section.

Microsoft references

Methods for assigning users and groups
Groups self service management
Active directory accessmanagement self service group management
Security controls v2 governance strategy
Security controls v2 governance strategy
Security controls v2 privileged access
Security controls v2 privileged access
Security controls v2 privileged access

Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' ​

Why This Matters ​

What Aether365 Checks ​

Microsoft references ​

Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'

Why This Matters

What Aether365 Checks

Microsoft references