MT.1064 - Management group creation should be limited to users with explicit write access
Overviewβ
By default, all Entra ID security principals can create new management groups. This introduces governance and security risks, as it allows any user to create a new management group and link subscriptions to it without oversight.
To prevent this, Azure provides a setting that enforces write permission requirements for the creation of new management groups. This ensures that only authorized users can manage the structure of your management group hierarchy.
Remediation action:β
To enable the requirement for write permissions:
- Navigate to the Microsoft Azure Portal: https://portal.azure.com.
- In the search bar, type Management groups and open the blade.
- Select Settings in the left navigation menu.
- Under Permissions for creating new management groups, enable the switch: Require write permissions for creating new management groups.
Related linksβ
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1064 |
| Severity | High |
| Suite | Maester |
| Category | Azure |
| PowerShell test | Test-MtManagementGroupWriteRequirement |
| Tags | Azure, MT.1064 |
Sourceβ
- Pester test:
tests/Maester/Azure/Test-MtManagementGroupWriteRequirement.Tests.ps1 - PowerShell source:
powershell/public/maester/azure/Test-MtManagementGroupWriteRequirement.ps1