Ensure that write permissions are required to create new management groups

Why This Matters

If any user in your tenant can create new management groups without explicit write permissions, the risk of unauthorized restructures or privilege escalation increases. Management groups control policy inheritance and access management across your entire Azure hierarchy. Restricting creation to authorized administrators only ensures governance remains intact and prevents accidental or malicious changes to your organizational structure.

What Aether365 Checks

Aether365 verifies that the Microsoft Entra ID tenant setting requiring write permissions to create new management groups is enabled. This check appears in the Aether365 dashboard under the microsoft-365 section.