Microsoft Entra IDOverview
Require administrators or appropriately delegated users to create new tenants.
Rationale
It is recommended that only an administrator be able to create new tenants. This prevents users from creating new Azure AD or Azure AD B2C tenants and ensures that only authorized users can do so.
Impact
Enforcing this setting will ensure that only authorized users are able to create new tenants.
Default Value
By default, all users can create tenants.
Remediation guidance
From Azure Portal
- Open Users | User settings.
- Set
Restrict non-admin users from creating tenantstoYes
From PowerShell
Import-Module Microsoft.Graph.Identity.SignIns
Connect-MgGraph -Scopes 'Policy.ReadWrite.Authorization'
Select-MgProfile -Name beta
$params = @{
DefaultUserRolePermissions =
@{
AllowedToCreateTenants = $false
}
}
Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId -BodyParameter
$params
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
Entra Non-Admin Users Can Create Tenants
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { authorizationPolicy: { defaultUserAllowedToCreateTenants: true } }
) {
...AssetFragment
}
}
