Framework/Configurations/SVT/AAD/AAD.Group.json

{
    "FeatureName": "Group",
    "Reference": "aka.ms/azsktcp/group",
    "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "AAD_Group_Use_Security_Enabled",
      "Description": "All AAD groups must be security enabled (TBD)",
      "Id": "Group110",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckGroupsIsSecurityEnabled",
      "Rationale": "TBD. Need to discuss/review this further.",
      "Recommendation": "Refer: TODO",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthZ",
        "RBAC"
      ],
      "Enabled": true
    },
    {
      "ControlID": "AAD_Group_Require_FTE_Owner",
      "Description": "Group must have at least one non-guest (native) owner",
      "Id": "Group120",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckGroupHasNonGuestOwner",
      "Rationale": "Guest users in a tenant can be transient. Ensuring that at least one FTE owner is accountable for managing a group, approving/reviewing membership, etc. leads to better governance.",
      "Recommendation": "Refer: TODO",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthZ",
        "RBAC"
      ],
      "Enabled": true
    }
    ]
}