Disable Tenant Creation for Non-Admin Users

Risk Level: Medium (should be achieved)

Ensure that only administrators or properly delegated users (i.e., users with tenant creator roles) have the permission to create Microsoft Entra ID or Azure Active Directory B2C tenants.

Security

By default, anyone who creates a Microsoft Entra ID tenant will become the global administrator for that tenant. By setting Restrict non-admin users from creating tenants to Yes in the Microsoft Entra ID settings, you can limit the creation of tenants to the global administrator or delegated users with tenant creator roles. Enforcing the Restrict non-admin users from creating tenants setting will ensure that only authorized identities can create new tenants.

Audit

To determine if non-admin, non-authorized users are allowed to create Microsoft Entra ID tenants, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Microsoft Entra ID blade available at https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview.

03 In the main navigation panel, under Manage, select Users.

04 In the left navigation panel, select User settings to access Microsoft Entra ID user configuration settings.

05 In the Default user role permissions section, check the Restrict non-admin users from creating tenants setting status. If Restrict non-admin users from creating tenants is set to No, non-admin, non-authorized users are allowed to create Microsoft Entra ID tenants, therefore, the Microsoft Entra ID user configuration is not compliant.

Using Azure PowerShell

01 Run Connect-MgGraph PowerShell command to connect to Microsoft Graph with the Microsoft Entra ID tenant specified by the -TenantId parameter (replace \<tenant-name\> with your own tenant name):

Connect-MgGraph -TenantId <tenant-name>.onmicrosoft.com -Scopes "Policy.ReadWrite.Authorization"

02 Run Get-MgPolicyAuthorizationPolicy PowerShell command with custom output filters to determine if non-admin users are allowed to create Microsoft Entra ID tenants:

Get-MgPolicyAuthorizationPolicy | Select-Object -ExpandProperty DefaultUserRolePermissions | Format-Table AllowedToCreateTenants

03 The command output should return the Restrict non-admin users from creating tenants setting status:

AllowedToCreateTenants
----------------------
True

If AllowedToCreateTenants configuration attribute is set to True, as shown in the example above, non-admin, non-authorized users are allowed to create Microsoft Entra ID tenants. Therefore, the Microsoft Entra ID user configuration is not compliant.

Remediation / Resolution

To ensure that non-admin, non-authorized users are not allowed to create Microsoft Entra ID tenants, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Microsoft Entra ID blade available at https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview.

03 In the main navigation panel, under Manage, select Users.

04 In the left navigation panel, select User settings to access Microsoft Entra ID user configuration settings.

05 In the Default user role permissions section, set the Restrict non-admin users from creating tenants setting to Yes to restrict the creation of Microsoft Entra ID tenants to the global administrator or delegated users with tenant creator roles. Choose Save from the bottom navigation menu to apply the configuration changes.

Using Azure PowerShell

01 Run Update-MgPolicyAuthorizationPolicy PowerShell command to update the default authorization policy in order to restrict the creation of Microsoft Entra ID tenants to the global administrator or delegated users with tenant creator roles:

Update-MgPolicyAuthorizationPolicy -BodyParameter @{DefaultUserRolePermissions = @{AllowedToCreateTenants = $false}}

References

Publication date Feb 12, 2025

Audit

Using Azure Console

Using Azure PowerShell

Remediation / Resolution

Using Azure Console

Using Azure PowerShell

References

Related ActiveDirectory rules