MT.1069 - Restrict non-admin users from creating security groups.
Overview
Description
Verifies that security group creation is restricted to admin users only in the Entra ID tenant.
Why This Matters
Restricting security group creation to administrators ensures proper governance, maintains the principle of least privilege, and supports regulatory compliance requirements.
Remediation action
This setting can be changed via user settings in the Microsoft Entra or Azure portal or via Microsoft Graph API / Graph PowerShell Module.
Admin Portal:
- Go to Entra Admin Center
- Navigate to Users → User settings
- Set Users can create security groups to No
- Click Save
Use the following PowerShell commands to restrict security group creation:
# Connect to Microsoft Graph with appropriate permissions
Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"
# Get the current authorization policy
$authPolicy = Get-MgPolicyAuthorizationPolicy
# Update the policy to restrict security group creation
$params = @{
defaultUserRolePermissions = @{
allowedToCreateSecurityGroups = $false
}
}
Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId $authPolicy.Id -BodyParameter $params
Related links
Test Metadata
| Field | Value |
|---|---|
| Test ID | MT.1069 |
| Severity | Low |
| Suite | Maester |
| Category | Entra |
| PowerShell test | Test-MtSecurityGroupCreationRestricted |
| Tags | Entra, Group, MT.1069 |
Source
- Pester test:
tests/Maester/Entra/Test-MtSecurityGroupCreationRestricted.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtSecurityGroupCreationRestricted.ps1