Control: 5.25 Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one'
Description
Users who are set as subscription owners are able to make administrative changes to the subscriptions and move them into and out of Microsoft Entra ID.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.iam_subscription_tenant_transfer_restrictedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.iam_subscription_tenant_transfer_restricted --shareSQL
This control uses a named query:
select t.tenant_id as resource, case when (t.subscription_policy -> 'properties' -> 'blockSubscriptionsIntoTenant')::bool = true and (t.subscription_policy -> 'properties' -> 'blockSubscriptionsLeavingTenant')::bool = true then 'ok' else 'alarm' end as status, case when (t.subscription_policy -> 'properties' -> 'blockSubscriptionsIntoTenant')::bool = true and (t.subscription_policy -> 'properties' -> 'blockSubscriptionsLeavingTenant')::bool = true then t.display_name || ' subscription tenant transfer is restricted (Permit no one).' else t.display_name || ' subscription tenant transfer is not restricted. Block subscriptions into tenant: ' || coalesce((t.subscription_policy -> 'properties' -> 'blockSubscriptionsIntoTenant')::text, 'false') || ', Block subscriptions leaving tenant: ' || coalesce((t.subscription_policy -> 'properties' -> 'blockSubscriptionsLeavingTenant')::text, 'false') || '.' end as reason, t.tenant_id -- from azure_tenant as t;