Account/Authentication - Azure Active Directory - Ensure that Only Organizationally Managed/Approved Public Groups Exist

 






Summary

Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365 and can provide a group of people access to a collection of shared resources. Although, there are various types of group types, this recommendation is concerned with Microsoft 365 Groups.

In the Administration panel, when a group is created, the default privacy value is "Public".

Reason

As the heading suggests, this one will make sure that only organizationally managed and approved public groups exist and when a group has "Public" privacy, users may easily access data related to this group (like SharePoint), via 3 methods:
  1. By using the Azure portal, and adding themselves into the public group.
  2. By requesting access to the group from the Group application of the Access Panel.
  3. By accessing the SharePoint URL.

Administrators are generally notified whenever a user uses Azure portal. Requesting access to the group, forces the users to send a message to group owner, so that they have immediate access to the group. The SharePoint URL is usually guessable, and can be found from the Group application of the Access Panel. If group privacy is not controlled, any user may access sensitive information, according to the group they try to access.

NOTE- Public in this case means public to the identities within the organization.

What If?

After applying the recommendation, the group owners could receive more access requests than usual, especially regarding groups originally meant to be public.

How to?

In the Microsoft 365 Administration portal, go to:
  1. Teams and groups
  2. Active teams and groups
  3. Select a Public group
  4. Go to 'Settings'
  5. Set Privacy to 'Private'

Monitor:

Using the Microsoft 365 Administration portal:
In the Microsoft 365 Administration portal, go to:
  1. Teams and groups
  2. Active teams and groups
  3. Check that no groups have the status  'Public' in the privacy column.

Using the Microsoft.Graph powerShell module:

To get the list of public groups, run the following:

Connect-Graph -Scopes "Group.Read.All"
Get-MgGroup | where ($_.Visibility -eq "Public") | select
DisplayName, Visibility
































Comments

Popular posts from this blog

Deployment (Part 3)

Project Resourcing (Part 2)

Design Planning (Part 3)