Skip to main content

🛡️ Microsoft Entra ID Default User Role can create tenants🟢

Logic

Description

Open File

Description

Require administrators or appropriately delegated users to create new tenants.

Rationale

It is recommended to only allow an administrator to create new tenants. This prevent users from creating new Microsoft Entra ID or Azure AD B2C tenants and ensures that only authorized users are able to do so.

Impact

Enforcing this setting will ensure that only authorized users are able to create new tenants.

Audit

This policy marks an Azure Active Directory as INCOMPLIANT if the related Active Directory Auth Policy has Default Permission: Create Tenants set to Enabled. This field corresponds to the Restrict non-admin users from creating tenants setting in the Microsoft Entra admin center’s User settings when enabled (set to Yes).

References

  1. https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
  2. https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#tenant-creator
  3. https://blog.admindroid.com/disable-users-creating-new-azure-ad-tenants-in-microsoft-365/

Remediation

Open File

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Entra ID.
  3. Under Manage, select Users.
  4. Under Manage, select User settings.
  5. Set Restrict non-admin users from creating tenants to Yes.
  6. Click Save.

From PowerShell

Import-Module Microsoft.Graph.Identity.SignIns Connect-MgGraph -Scopes 'Policy.ReadWrite.Authorization' Select-MgProfile -Name beta $params = @{ DefaultUserRolePermissions = @{ AllowedToCreateTenants = $false } } Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId -BodyParameter $params

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 CIS Azure v2.1.0 → 💼 1.3 Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' - Level 1 (Manual)1no data
💼 CIS Azure v3.0.0 → 💼 2.3 Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' (Automated)1no data
💼 CIS Azure v4.0.0 → 💼 6.4 Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' (Automated)1no data
💼 Cloudaware Framework → 💼 General Access Controls11no data