Other Articles

Microsoft Entra – Restrict Security Group Creation

Secure Configuration Checks > Microsoft Entra

This check ensures that only authorized users can create security groups in Microsoft Entra. Restricting group creation helps prevent privilege misuse, unauthorized access, and uncontrolled group sprawl.

Check Details

  • Resource: Microsoft Entra ID
  • Check: Restrict security group creation
  • Risk: Unrestricted group creation can lead to unauthorized access, privilege escalation, and governance issues

Remediation via Microsoft Entra Admin Center

  1. Log in to the Microsoft Entra Admin Center.

    Microsoft Entra Home
  2. Navigate to Groups from the left-hand menu. Groups Menu
  3. Click on General settings. Groups General Settings
  4. Locate “Users can create security groups in Azure portals, API or PowerShell”.
  5. Set this option to No to restrict group creation. Security Group Setting
  6. Click Save to apply the changes.

Default Value

By default, Microsoft Entra allows all users to create security groups. This can lead to uncontrolled group creation if not restricted.

Updated on 20 April, 2026