GOV-10LowRecommended Secure

Restrict Security Group Creation

Governance & Hygiene control for Microsoft 365 and Entra ID

Why This Control Matters

Security groups are used in access grants and policy targeting. If any user can create them, group sprawl and ungoverned access assignments follow, weakening least-privilege and complicating access reviews.

Expected State

When this control is compliant, your tenant should meet these criteria:

1Non-admin users cannot create security groups
2Security group creation is restricted to administrators
3authorizationPolicy.defaultUserRolePermissions.allowedToCreateSecurityGroups is false

Enforcement

Default Mode

Advisory

Alerts on deviations but does not make changes

Auto-Remediation

Manual Only

Detect-only. Fix in Entra admin center > Groups > General > Users can create security groups = No.

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.