turbot/microsoft365_compliance

Control: 1.1.12 Ensure that only organizationally managed/approved public groups exist

Description

Ensure that only organizationally managed and approved public groups exist.

In the Microsoft 365 Administration panel, when a group is created, the default privacy value is "Public". Make sure that public groups are willfully created. When a group has a "public" privacy, users may access data related to this group (e.g. SharePoint), through three methods :

By using the Azure portal, and adding themselves into the public group. In this case, administrators are not notified. By requiring access to the group from the Group application of the Access Panel. This method forces users to send a message to the group owner, but they still have immediately access to the group. By accessing the SharePoint URL. The SharePoint URL is usually guessable, and can be found from the Group application of the Access Panel. If group privacy is not controlled, any user may access sensitive information, according to the group they try to access.

Note: Public in this case meaning public to the organization.

Remediation

In the Microsoft 365 Administration portal, go to:

  1. Teams & groups.
  2. Active teams & groups.
  3. Select a Public group.
  4. Go to Settings.
  5. Set Privacy to Private.

Default Value: Public when created from the Administration portal; private otherwise.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v140_1_1_12

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v140_1_1_12 --share

SQL

This control uses a named query:

azuread_group_not_public

Tags