Control: Ensure that 'Users Can Create Tenants' is set to 'No'
Description
Restrict tenant creation to administrators only.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.iam_user_not_allowed_to_create_tenantsSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.iam_user_not_allowed_to_create_tenants --shareSQL
This control uses a named query:
with distinct_tenant as ( select distinct tenant_id, subscription_id, _ctx from azure_tenant)select a.id as resource, case when a.default_user_role_permissions ->> 'allowedToCreateTenants' = 'true' then 'alarm' else 'ok' end as status, case when a.default_user_role_permissions ->> 'allowedToCreateTenants' = 'true' then a.display_name || ' allows user to create tenants.' else a.display_name || ' restricts the user to create tenants.' end as reason, t.tenant_id from distinct_tenant as t, azuread_authorization_policy as a;