Control: 5.4 Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
Description
Require administrators or appropriately delegated users to create new tenants.
It is recommended to only allow an administrator to create new tenants. This prevent users from creating new Microsoft Entra ID or Azure AD B2C tenants and ensures that only authorized users are able to do so.
Remediation
Remediate from Azure Portal
- From Azure Home select the Portal Menu.
- Select
Microsoft Entra ID. - Under
Manage, selectUsers. - Under
Manage, selectUser settings. - Set
Restrict non-admin users from creating tenantstoYes. - Click
Save.
Remediate from PowerShell
Import-Module Microsoft.Graph.Identity.SignInsConnect-MgGraph -Scopes 'Policy.ReadWrite.Authorization'Select-MgProfile -Name beta$params = @{DefaultUserRolePermissions = @{AllowedToCreateTenants = $false}}Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId -BodyParameter$params
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v500_5_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v500_5_4 --shareSQL
This control uses a named query:
with distinct_tenant as ( select distinct tenant_id, subscription_id, _ctx from azure_tenant)select a.id as resource, case when a.default_user_role_permissions ->> 'allowedToCreateTenants' = 'true' then 'alarm' else 'ok' end as status, case when a.default_user_role_permissions ->> 'allowedToCreateTenants' = 'true' then a.display_name || ' allows user to create tenants.' else a.display_name || ' restricts the user to create tenants.' end as reason, t.tenant_id from distinct_tenant as t, azuread_authorization_policy as a;