Description:
Restricting Subscription entering AAD directory and Subscription leaving AAD directory to Permit no one prevents unauthorized movement of Azure subscriptions between tenants and helps maintain strong tenant security and governance.
Rationale:
Restricting subscriptions from entering or leaving the directory prevents unauthorized tenant transfers, protects billing and resource ownership, and helps maintain tenant security and governance.
Impact:
Positive: Ensures strict governance over subscription lifecycle, prevents hijacking or accidental transfer, and ensures compliance with organizational security policies.
Negative: Administrators must use formal approval processes for subscription migrations, which may add operational overhead.
Default Value:
The default configuration may allow certain privileged roles to initiate subscription transfers unless explicitly restricted.
Pre-Requisites:
Global Administrator or Privileged Role Administrator permissions
Microsoft Entra ID access
Access to Tenant Properties and Cross-Tenant Settings
Test Plan:
Sign in to the Azure Portal at https://portal.azure.com
Open Microsoft Entra ID
Select Properties
Open Access management for Azure resources
Verify the Access management for Azure resources toggle is set to Off
Confirm subscriptions cannot enter or leave the directory
If the toggle is set to On, follow the implementation steps
Implementation Steps:
Sign in to the Azure Portal at https://portal.azure.com
Open Microsoft Entra ID
Select Properties
Open Access management for Azure resources
Set the Access management for Azure resources toggle to Off
Save the changes
Backout Plan:
Sign in to the Azure Portal at https://portal.azure.com
Open Microsoft Entra ID
Select Properties
Open Access management for Azure resources
Set the Access management for Azure resources toggle to On
Save the changes