🛡️ Azure Tenant Creator Role Assignments are not periodically reviewed🟢⚪

• Contextual name: 🛡️ Tenant Creator Role Assignments are not periodically reviewed🟢⚪
• ID: /ce/ca/azure/subscription/tenant-creator-role-assignments
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Description

Open File

Description

Perform a periodic review of the Tenant Creator role assignment to ensure that the assignments are accurate and appropriate.

Rationale

Unnecessary assignments increase the risk of privilege escalation and unauthorized access.

Impact

Verify that the Tenant Creator role is no longer required by any assignments before removal to avoid disruption of critical functions.

Audit

From Azure Portal

1. Go to Microsoft Entra ID.
2. Under Manage, click Roles and administrators.
3. In the search bar, type Tenant Creator.
4. Click the role.
5. Review the assignments and ensure that they are appropriate.

Default Value

The Tenant Creator role is not assigned by default.

References

1. https://learn.microsoft.com/en-us/azure/active-directory-b2c/tenant-management-check-tenant-creation-permission
2. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#tenant-creator

Remediation

Open File

Remediation

From Azure Portal

1. Go to Microsoft Entra ID.
2. Under Manage, click Roles and administrators.
3. In the search bar, type Tenant Creator.
4. Click the role.
5. Click the name of an assignment.
6. Check the box next to the Tenant Creator role.
7. Click X Remove assignments.
8. Click Yes.
9. Repeat steps 1-8 for each assignment requiring remediation.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v5.0.0 → 💼 5.3.6 Ensure 'Tenant Creator' role assignments are periodically reviewed (Manual)			1		no data
💼 Cloudaware Framework → 💼 Role-Based Access Control (RBAC) Management			18		no data