iCompaas Support

Description:

Microsoft Entra ID (formerly Azure Active Directory) allows users with specific permissions to create new tenants within the Azure ecosystem. When non-admin users are permitted to create tenants, it introduces the risk of unmonitored, unmanaged, and unauthorized tenant creation, resulting in security gaps, shadow IT, and governance challenges.

Rationale:

Restricting this capability ensures that only privileged administrators—such as Global Administrators or role-assigned personnel—can create new tenants. This control helps maintain a secure, centralized identity infrastructure and prevents the creation of external tenants that may fall outside security, compliance, and operational oversight.

Impact:

Enabling the restriction (setting Users can create Azure AD tenants = No) means:

• Strengthens security by ensuring tenant creation is performed only by verified administrators.

• Eliminates the risk of unmanaged or accidental tenant creation by regular users.

• Helps maintain strict oversight of identity environments and cross-tenant access.

Default Value:

Default: Yes, Non-admin users are allowed to create Azure AD tenants

Pre-requisites:

1. Sign in using an account with Global Administrator or Privileged Role Administrator permissions.

Test Plan:

1. Sign in to the Azure Portal at https://portal.azure.com.

2. Search for Microsoft Entra ID in the search bar.

3. In the left-hand menu under the Manage section, select User settings.

4. Check whether 'Restrict non-admin users from creating tenants' is set to Yes or No. If this is set to NO, follow the Remediation steps to fix it.

Implementation Steps:

1. Sign in to the Azure Portal at https://portal.azure.com.

2. Search for Microsoft Entra ID in the search bar.

3. In the left-hand menu under the Manage section, select User settings.

4. Change the setting from No to Yes to Restrict non-admin users from creating tenants.

5. Click Save to apply the new configuration.

Backout Plan:

1. Sign in to the Azure Portal at https://portal.azure.com.

2. Open Microsoft Entra ID.

3. In the left-hand menu under the Manage section, select User settings.

4. Change the setting from yes to no. Restrict non-admin users from creating tenants.

Reference:

• https://learn.microsoft.com/en-us/azure/active-directory-b2c/tenant-management-check-tenant-creation-permission