Microsoft Entra IDOverview
Require administrators or appropriately delegated users to create new tenants.
Rationale
It is recommended that only an administrator be able to create new tenants. This prevents users from creating new Azure AD or Azure AD B2C tenants and ensures that only authorized users can do so.
Impact
Enforcing this setting will ensure that only authorized users are able to create new tenants.
Default Value
By default, all users can create tenants.
Remediation guidance
From Azure Portal
- Open Users | User settings.
- Set
Restrict non-admin users from creating tenantstoYes
From PowerShell
Import-Module Microsoft.Graph.Identity.SignIns
Connect-MgGraph -Scopes 'Policy.ReadWrite.Authorization'
Select-MgProfile -Name beta
$params = @{
DefaultUserRolePermissions =
@{
AllowedToCreateTenants = $false
}
}
Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId -BodyParameter
$params
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Microsoft Entra ID
Use tenant-wide Conditional Access, role settings, authentication policies, and identity governance baselines so the control is enforced centrally.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Entra Non-Admin Users Can Create Tenants
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { authorizationPolicy: { defaultUserAllowedToCreateTenants: true } }
) {
...AssetFragment
}
}
