Restrict member users' default permissions - looking for clarification

Zach Gonzales IS 20 Reputation points
2023-09-21T16:06:00.3833333+00:00

When looking at the Microsoft documentation on user default permission I brought up to my team that the settings we have look to be a security concern, below is a screenshot of our settings:

User's image

In your experience when changing the settings marked with a red rectangle, what are the usual business impacts of doing so? I am having pushback from our department, and I would like some help showing my team that making these changes is a net positive for security and will not harm our user experience.

Thank you.

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,205 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,772 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
370 questions
Microsoft Entra Private Access
Microsoft Entra Private Access
Microsoft Entra Private Access provides secure and deep identity-aware, Zero Trust network access to all private apps and resources.
53 questions
Microsoft Entra
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 45,571 Reputation points Microsoft Vendor
    2023-09-22T05:13:23.09+00:00

    @Zach Gonzales IS, Thanks for posting in Q&A. Based on the Microsoft documentation, changing the settings marked with a red rectangle in the screenshot provided could have the following business impacts:

    • Setting "Register applications" to "No" would prevent users from creating application registrations. However, this ability can be granted back to specific individuals by adding them to the application developer role.
    • Setting "Create security groups" to "No" would prevent users from creating security groups. However, global administrators and user administrators can still create security groups.
    • "Guest user access is restricted to properties and memberships of their own directory objects" restricts guest access to only their own user profile by default. Access to other users is no longer allowed, even when they're searching by user principal name, object ID, or display name. Access to group information, including groups memberships, is also no longer allowed.

    To address pushback from your department, you can explain that these changes are a net positive for security as they restrict users' default permissions and prevent them from taking actions that could potentially harm the organization. However, it's important to carefully consider the specific needs and workflows of your organization before making any changes to default permissions.

    References:

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments