Description
- Type: CUSTOMER
- Severity: NOTICE
- Protection against: Abuse of Functionality (Hacking)
- CIS: -
- FIX Available: YES
This Customer Check verifies if regular users are able to create security groups.
Why this check?
A security group in the Microsoft cloud is a group of users, created within Azure AD. Users and other groups can be added to a group. Groups can be used in various ways, for example, to provide certain roles in an organization with specific rights or to grant access to certain information resources.
The owner of a security group is able to "consent" Apps for the entire group (See also CHK-1128). When a regular user is able to create a new security group, it poses the risk of malicious applications gaining access to your tenant in combination with that App Consent situation.
Therefore, we advise reserving the creation of security groups for administrators.
What possible outcomes does the check have?
This check has two possible outcomes. In Attic, this is reflected as follows:
- Okay: Regular users cannot create new security groups
- Notice: A regular user can create security groups
How should this be followed up?
If the output is Notice , we advise disabling the ability for regular users to create security groups.
A Fix is available for this check, which we will offer via Attic.
Comments
0 comments
Please sign in to leave a comment.