Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 5.3.6 Ensure 'Tenant Creator' role assignments are periodically reviewed

Description

Perform a periodic review of the Tenant Creator role assignment to ensure that the assignments are accurate and appropriate.

This recommendation should be applied alongside the recommendation "Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'".

Unnecessary assignments increase the risk of privilege escalation and unauthorized access.

Remediation

Remediate from Azure Portal

  1. Go to Microsoft Entra ID.
  2. Under Manage, click Roles and administrators.
  3. In the search bar, type Tenant Creator.
  4. Click the role.
  5. Click the name of an assignment.
  6. Check the box next to the Tenant Creator role.
  7. Click X Remove assignments.
  8. Click Yes.
  9. Repeat steps 1-8 for each assignment requiring remediation.

Default Value

The Tenant Creator role is not assigned by default.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_5_3_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_5_3_6 --share

SQL

This control uses a named query:

select
  id as resource,
  'info' as status,
  'Manual verification required.' as reason,
  display_name as subscription
from
  azure_subscription;

Tags

category = Compliance
cis = true
cis_item_id = 5.3.6
cis_level = 1
cis_section_id = 5.3
cis_type = manual
cis_version = v5.0.0
plugin = azure
service = Azure