iCompaas Support

Description:

In Microsoft Entra ID (formerly Azure Active Directory), tenant-level configurations are used to manage access control and maintain the security and integrity of resources. By default, Azure subscriptions can be moved between tenants, which could potentially allow unauthorized or inadvertent changes to your Azure subscription's environment.

To prevent any unapproved changes to your Azure subscriptions — such as allowing a subscription to leave or enter a Microsoft Entra tenant — it is recommended to set the policy for 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' to 'Permit no one'. This ensures that no user can perform these sensitive operations without explicit administrative intervention, enhancing your security posture.

Rationale:

By setting 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' to 'Permit no one', you:

• Prevent unauthorized subscriptions from being moved between tenants, which could compromise your Azure environment's security.
  

• Enhance tenant integrity by ensuring that only trusted administrators have the ability to perform tenant-to-tenant subscription transfers.
  

• Reduce the risk of accidental or malicious subscription modifications that could lead to a loss of control or exposure of sensitive data.
  

Impact:

Setting these options to 'Permit no one' will:

• Prevent Azure subscriptions from being moved out of your Microsoft Entra tenant or into another tenant unless explicitly allowed by you.
  

• Restrict administrative control of subscription movement to highly trusted personnel, minimizing risk and maintaining control over the tenant boundaries.
  

• The downside of this configuration is that it could prevent authorized migrations in the future unless the permissions are changed. This means that you will need to specifically re-enable access if you ever want to move a subscription between tenants.
  

Default Value:

By default, 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' permissions are typically set to 'Permit no one', but it is essential to verify and configure these settings manually to ensure compliance with security standards.

Pre-requisites:

• Azure subscription with Microsoft Entra ID (Azure AD) configured.
  

• Owner or Global Administrator role permissions to configure tenant-level access controls.
  

• Access to Microsoft Entra Tenant Settings in Azure Active Directory.
  

Audit:

1. Sign in to Azure portal as a Global Administrator or Owner.
   

2. Navigate to Microsoft Entra ID (Azure AD) and review the tenant-level settings for Subscription movement policies.
   

3. Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' are set to 'Permit no one'.
   

Implementation Steps (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Owner role.
     

2. Navigate to Microsoft Entra ID (Azure AD):
   

   • In the Azure portal, search for Microsoft Entra ID and select Azure Active Directory.
     

3. Navigate to Tenant Settings:
   

   • In the Azure Active Directory pane, under Security, select Tenant settings.
     

4. Configure Subscription Movement Settings:
   

   • Within Tenant settings, locate Subscription settings.
     

   • Find the setting for 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant'.
     

5. Set Both Settings to 'Permit no one':
   

   • For both 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant', select 'Permit no one' from the available options.
     

6. Save the Settings:
   

   • After setting both options to 'Permit no one', click Save to apply the changes.
     

7. Verify Settings:
   

   • After applying the settings, verify that the 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' settings are indeed set to 'Permit no one' by revisiting the Tenant settings in Azure AD.
     

8. Monitor for Unauthorized Attempts:
   

   • You can set up alert rules in Azure Monitor to be notified of any unauthorized attempts to modify these settings in the future. Configure the Audit Logs to capture attempts at changing these settings and send an alert if necessary.
     

Backout Plan (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Owner role.
     

2. Navigate to Microsoft Entra ID (Azure AD):
   

   • Go to Azure Active Directory in the Azure portal.
     

3. Revert the Settings:
   

   • In Tenant settings, locate 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant'.
     

   • Change the settings back to their default or intended state (e.g., 'Permit some users' or 'Permit all').
     

4. Save the Reverted Settings:
   

   • Click Save to apply the changes and verify that the settings are reverted.
     

5. Test the Reverted Configuration:
   

   • Test the new configuration by attempting to move a subscription across tenants (if needed) and confirm that the backout was successful.
     

References:

• Azure AD - Tenant Settings
  

• Azure Subscription and Tenant Management
  

• Azure AD Subscription Movement Documentation