Microsoft AzureOverview
Users who are set as subscription owners can make administrative changes to the subscriptions and move them into and out of Microsoft Entra ID.
Rationale
Permission to move subscriptions in and out of Microsoft Entra ID must only be given to appropriate administrative personnel. A subscription moved into a Microsoft Entra ID may be within a folder to which other users have elevated permissions. This prevents loss of data or unapproved changes of the objects within by potential bad actors.
Impact
Subscriptions will need to have these settings turned off to be moved.
Default Value
By default, Subscription leaving Microsoft Entra ID directory and Subscription entering Microsoft Entra ID directory are set to Allow everyone (default)
Remediation guidance
From Azure Portal
- Open Subscriptions | Manage policies
- Under
Subscription leaving Microsoft Entra ID directoryandSubscription entering Microsoft Entra ID directory, selectPermit no one.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Azure
Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Azure connectors letting subscription into/out of the tenant
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
OR: [
{ blockSubscriptionsIntoTenant: false }
{ blockSubscriptionsLeavingTenant: false }
]
}
) {
...AssetFragment
}
}
