Description:
In Microsoft Entra ID (formerly Azure Active Directory), users with sufficient permissions can create new tenants within the Azure environment. Allowing non-admin users to create new tenants can lead to unauthorized or unmonitored tenant creations, resulting in security risks and governance challenges. To maintain a controlled and secure environment, it is best practice to restrict non-admin users from creating Azure AD tenants.
Enforcing this setting ensures that only privileged administrators can create tenants, minimizing the risk of rogue tenant creation and unauthorized administrative access to resources across multiple tenants.
Rationale:
By restricting non-admin users from creating tenants, you:
Enhance security by ensuring that tenant creation is tightly controlled and only performed by authorized personnel.
Prevent unauthorized access: Rogue tenant creation can lead to unauthorized resource access and management.
Ensure governance: Tenant creation is a significant administrative task that should be restricted to users who have the appropriate security clearance and oversight.
Comply with best practices in organizational and resource management.
Impact:
Setting 'Restrict non-admin users from creating tenants' to 'Yes' ensures that only administrators can create new tenants, preventing non-admin users from doing so. The impact is minimal, as the setting improves security and reduces the risk of mismanagement or misuse. It will only affect users who previously had the ability to create tenants and now will be restricted from doing so unless granted specific administrative privileges.
Default Value:
By default, non-admin users are allowed to create tenants. This setting must be manually configured to restrict the ability to create tenants.
Pre-requisites:
Azure subscription with Microsoft Entra ID (Azure AD) configured.
Global Administrator or Privileged Role Administrator permissions to configure and enforce this setting.
Access to the Azure portal to configure the settings.
Audit:
Sign in to Azure portal as a Global Administrator or Privileged Role Administrator.
Navigate to Microsoft Entra ID > Tenant settings.
Verify that the setting 'Restrict non-admin users from creating tenants' is set to 'Yes'.
Implementation Steps (Automated):
Sign in to Azure portal:
Use an account with Global Administrator or Privileged Role Administrator permissions.
Navigate to Microsoft Entra ID (Azure AD):
In the Azure portal, go to Azure Active Directory.
Go to Tenant Settings:
Under Manage, select Tenant settings.
Locate and Configure the Tenant Creation Setting:
Find the setting for 'Restrict non-admin users from creating tenants'.
Set the option to 'Yes' to prevent non-admin users from creating new Azure AD tenants.
Save the Configuration:
After setting it to 'Yes', click Save to apply the changes.
Verify the Setting:
After saving the configuration, confirm that non-admin users can no longer create tenants by attempting to create a tenant with a non-admin account. The operation should be blocked.
Automate with PowerShell (Optional): To automate this configuration using PowerShell, use the following command:
Set-MsolCompanySettings -AllowTenantCreation $false
This command will restrict non-admin users from creating new tenants.
Monitor Tenant Creation Attempts:
You can use Azure AD audit logs to monitor any attempts to create tenants. Set up Azure Monitor to alert you if there are any unauthorized attempts to create a new tenant.
Backout Plan (Automated):
Sign in to Azure portal:
Use an account with Global Administrator or Privileged Role Administrator permissions.
Navigate to Microsoft Entra ID (Azure AD):
Go to Azure Active Directory in the Azure portal.
Revert the Tenant Creation Restriction:
In Tenant settings, find the setting 'Restrict non-admin users from creating tenants'.
Change the setting back to 'No' to allow non-admin users to create tenants again.
Save the Configuration:
After setting it back to 'No', click Save to apply the changes.
Test the Reverted Configuration:
Attempt to create a new tenant with a non-admin account and verify that the creation process is successful.