Description:
Require administrators or appropriately delegated users to create new tenants.
Rationale:
It is recommended to only allow an administrator to create new tenants. This prevent users from creating new Azure AD or Azure AD B2C tenants and ensures that only authorized users are able to do so.
Impact:
Enforcing this setting will ensure that only authorized users are able to create new tenants.
Audit:
From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Azure Active Directory
3. Select Users
4. Select User settings
5. Ensure that Users can create Azure AD Tenants is set to No.
Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security assessment for this recommendation.
Remediation:
From Azure Portal
1. From Azure Home select the Portal Menu
2. Select Azure Active Directory
3. Select Users
4. Select User settings
5. Set Users can create Azure AD Tenants to No
References:
1. https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/usersdefault-permissions
2. https://learn.microsoft.com/en-us/azure/active-directory/roles/permissionsreference#tenant-creator