We have a permission system which is based on Azure AD Security Groups. All of the azure access can be controlled by assigning employees to the corresponding team (group). This can be done by our project managers who gets assigned owner of their teams.
We automated the creation of the groups and the access reviews as well as the syncronisation to the distribution groups (as mail-enabled security groups cannot be created via graph api we need to create distribution groups and sync them).
This works really well - the managers are responsible themselfes for their teams. Until someone sets the group policy to "This group is open to join for all users":
From then on our "self controlled system" is breached as everyone can join themself. We know that the one how changes the policy is also the owner who can manage the group anyway. But we dont want them to be able to change this policy (even by mistake).
The Problem: afaik it is not possible to disable or disallow the group policy selection when creating the group (or on AD level). Well, thats ok we thought. We have a webhook when the group changes (and it gets fired when changing the policy) anyway, so we just change it back.
But i cannot find any way or any api to do this. Is this missing? There isnt any field on the graph api entity. And no cmdlet either.
Has anyone figured out a way to change the group policy of an azure security group programmatically?
