📝 Microsoft Entra ID Default User Role can create tenants 🟢

• Contextual name: 📝 Default User Role can create tenants 🟢
• ID: /ce/ca/azure/microsoft-entra-id/disable-tenant-creation
• Located in: 📁 Microsoft Entra ID

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Logic

• 🧠 prod.logic.yaml 🟢
  • 📗 Azure Active Directory
  • 🔌 Azure Active Directory Auth Policy - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Require administrators or appropriately delegated users to create new tenants.

Rationale

It is recommended to only allow an administrator to create new tenants. This prevent users from creating new Microsoft Entra ID or Azure AD B2C tenants and ensures that only authorized users are able to do so.

Impact

Enforcing this setting will ensure that only authorized users are able to create new tenants.

Audit

This policy marks an Azure Active Directory as INCOMPLIANT if the related Active Directory Auth Policy has Default Permission: Create Tenants set to Enabled. This field corresponds to the Restrict non-admin users from creating tenants setting in the Microsoft Entra admin center’s User settings when enabled (set to Yes).

References

1. https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
2. https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#tenant-creator
3. https://blog.admindroid.com/disable-users-creating-new-azure-ad-tenants-in-microsoft-365/

Remediation

Open File

Remediation

From Azure Portal

1. From Azure Home select the Portal Menu.
2. Select Microsoft Entra ID.
3. Under Manage, select Users.
4. Under Manage, select User settings.
5. Set Restrict non-admin users from creating tenants to Yes.
6. Click Save.

From PowerShell

Import-Module Microsoft.Graph.Identity.SignIns Connect-MgGraph -Scopes 'Policy.ReadWrite.Authorization' Select-MgProfile -Name beta $params = @{ DefaultUserRolePermissions = @{ AllowedToCreateTenants = $false } } Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId -BodyParameter $params

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS Azure v2.1.0 → 💼 1.3 Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' - Level 1 (Manual)			1
💼 CIS Azure v3.0.0 → 💼 2.3 Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' (Automated)			1
💼 CIS Azure v4.0.0 → 💼 6.4 Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' (Automated)			1
💼 Cloudaware Framework → 💼 General Access Controls			11