Skip to main content

πŸ“ Microsoft Entra ID Tenant Creation is set to Yes 🟒

  • Contextual name: πŸ“ Tenant Creation is set to Yes 🟒
  • ID: /ce/ca/azure/microsoft-entra-id/disable-tenant-creation
  • Located in: πŸ“ Microsoft Entra ID

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Logic​

Description​

Open File

Description​

Require administrators or appropriately delegated users to create new tenants.

Rationale​

It is recommended to only allow an administrator to create new tenants. This prevent users from creating new Microsoft Entra ID or Azure AD B2C tenants and ensures that only authorized users are able to do so.

Impact​

Enforcing this setting will ensure that only authorized users are able to create new tenants.

Audit​

From Azure Portal​
  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Entra ID.
  3. Under Manage, select Users.
  4. Under Manage, select User settings.
  5. Ensure that Restrict non-admin users from creating tenants is set to Yes.
From PowerShell​
Import-Module Microsoft.Graph.Identity.SignIns Connect-MgGraph -Scopes 'Policy.ReadWrite.Authorization' Get-MgPolicyAuthorizationPolicy | Select-Object -ExpandProperty DefaultUserRolePermissions | Format-List

Review the DefaultUserRolePermissions section of the output. Ensure that AllowedToCreateTenants is not True.

References​

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Entra ID.
  3. Under Manage, select Users.
  4. Under Manage, select User settings.
  5. Set Restrict non-admin users from creating tenants to Yes.
  6. Click Save.

From PowerShell​

Import-Module Microsoft.Graph.Identity.SignIns Connect-MgGraph -Scopes 'Policy.ReadWrite.Authorization' Select-MgProfile -Name beta $params = @{ DefaultUserRolePermissions = @{ AllowedToCreateTenants = $false } } Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId -BodyParameter $params

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 1.3 Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' - Level 1 (Manual)1
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 2.3 Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό General Access Controls10