GOV-10: Restrict Security Group Creation
Frequently asked questions about implementing and managing the GOV-10 security control in Microsoft 365 and Entra ID.
Free baseline scan · No credit card · 5 minute setup
QWhat is GOV-10 (Restrict Security Group Creation)?▼
GOV-10 is a security control that security groups are used in access grants and policy targeting. if any user can create them, group sprawl and ungoverned access assignments follow, weakening least-privilege and complicating access reviews. It requires that non-admin users cannot create security groups and security group creation is restricted to administrators, authorizationpolicy.defaultuserrolepermissions.allowedtocreatesecuritygroups is false.
QWhy is Restrict Security Group Creation important for Microsoft 365 security?▼
Security groups are used in access grants and policy targeting. If any user can create them, group sprawl and ungoverned access assignments follow, weakening least-privilege and complicating access reviews.
QHow do I implement GOV-10 in my tenant?▼
GOV-10 requires manual implementation. Detect-only. Fix in Entra admin center > Groups > General > Users can create security groups = No.
QWhat license do I need for GOV-10?▼
This control can be implemented with any Microsoft 365 subscription, including free Azure AD.
QWhich security baseline includes GOV-10?▼
GOV-10 is included in the TrueConfig Recommended Secure baseline (Level 1). This is the foundation level suitable for most organizations.
5
Questions
1
Related Controls
—
Categorized
Related Resources
Still have questions?
Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.
Start Free Trial