Restrict Security Group Creation for Professional Services & Consulting

Professional Services & Consulting organizations face specific regulatory requirements including soc2, iso27001, cis. The GOV-10 control helps address these requirements by:

• Non-admin users cannot create security groups
• Security group creation is restricted to administrators
• authorizationPolicy.defaultUserRolePermissions.allowedToCreateSecurityGroups is false

Security groups are used in access grants and policy targeting. If any user can create them, group sprawl and ungoverned access assignments follow, weakening least-privilege and complicating access reviews.

When implementing GOV-10 in a professional services & consulting environment, consider:

• **Regulatory requirements**: soc2, iso27001, cis may mandate specific configurations
• **Risk tolerance**: Professional Services & Consulting organizations typically have moderate to low risk tolerance
• **Audit frequency**: Plan for regular compliance reviews
• **Documentation**: Maintain detailed records for regulatory inspections

GOV-10 requires the following configuration:

• Non-admin users cannot create security groups
• Security group creation is restricted to administrators
• authorizationPolicy.defaultUserRolePermissions.allowedToCreateSecurityGroups is false

Detect-only. Fix in Entra admin center > Groups > General > Users can create security groups = No.

Follow the steps above in your Microsoft Entra admin center to enable this control.