You dont have javascript enabled! Please enable it! How To Restrict Non-Admin Users From Creating Tenants In Microsoft Entra ID: A Step-by-Step Guide - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

How to Restrict Non-Admin Users from Creating Tenants in Microsoft Entra ID: A Step-by-Step Guide

4 Min. Read

Non-privileged users can create tenants in Microsoft Entra ID (Azure AD) and the Entra administration portal under Manage tenants. You may want to restrict non-admin users from creating tenants so the organization can prevent any unauthorized or uncontrolled deployment of resources. This, in turn, helps maintain the organization’s control over its infrastructure.

Microsoft Entra ID - Manage tenants
Microsoft Entra ID – Manage tenants

This article will guide you through the process of restricting non-admin users from creating tenants in Microsoft Entra ID, ensuring your organization retains control over its resources and infrastructure.

Why Restrict Non-Admin Users from Creating Tenants?

The first question you may ask is, why restrict non-admin users from creating Tenants in Microsoft Entra ID?

Any non-privileged user who has access to Microsoft Entra ID can create a new tenant. The tenant creation is recorded on the Audit Logs page under the Category “DirectoryManagement” and “Create Company” Activity, as shown in the figure below.

Microsoft Entra ID - Audit Logs (monitoring)
Microsoft Entra ID – Audit Logs (monitoring)

Or through the following KQL query if you have enabled the Microsoft Entra ID Diagnostic setting logs with Azure Monitor (Log Analytics workspace).

AuditLogs
| where Category == "DirectoryManagement" and OperationName == "Create Company"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| project TimeGenerated, Category, ActivityDisplayName, Actor
Microsoft Entra ID - Audit Logs (log analytics)
Microsoft Entra ID – Audit Logs (log analytics)

Related: Mastering Microsoft Entra ID – A Comprehensive Guide.

Anyone who creates a tenant becomes its Global Administrator. The newly created tenant doesn’t inherit any settings or configurations.

Limiting the creation of tenants is essential to prevent unauthorized or uncontrolled resource deployment and helps organizations retain control over their infrastructure. If users generate shadow IT, it can lead to multiple, disjointed environments, making it difficult for IT to manage and secure the organization’s data. Moreover, it can create confusion among other users in the organization who may use these tenants for business purposes, thinking that the organization’s security and governance team secures them.

Microsoft Entra Admin Center Portal

Our first option is restricting non-admin users from creating tenants in the Microsoft Entra Admin Center portal.

Step 1: Sign in to Microsoft Entra Admin Center

To begin, access the Microsoft Entra admin center portal using your administrator credentials.

Step 2: Navigate to Identity > Users > User settings

Once logged in, navigate to the “Identity” tab, then select “Users” followed by “User settings.”

Step 3: Restrict Non-Admin Users from Creating Tenants

Under the Default user role permissions, toggle the “Restrict non-admin users from creating tenants” setting to “Yes.”, as shown in the figure below.

Restrict Non-Admin Users from Creating Tenants in Microsoft Entra Admin Center
Restrict Non-Admin Users from Creating Tenants in Microsoft Entra Admin Center

Step 4: Save Changes

Finally, click “Save” to apply the changes.

Please note that you can perform and apply the same steps using the Azure portal by browsing the following URL directly.

Microsoft Graph PowerShell

The second option to restrict non-admin users from creating tenants is using Microsoft Graph PowerShell.

Microsoft Graph PowerShell SDK is the way forward. It is a PowerShell module that you can use to interact with Microsoft Entra ID and other Microsoft online services (SharePoint, Exchange, and Teams). It replaces the legacy Microsoft Online (MSOL) and AzureAD PowerShell modules.

Step 1: Install Microsoft Graph PowerShell Module

Begin by installing the Microsoft Graph PowerShell module using the following commands:

# Install Graph module for Current User 
Install-Module -Name Microsoft.Graph -Scope CurrentUser 

# Or install Graph module for All Users (Admin privilege) 
Install-Module -Name Microsoft.Graph -Scope AllUsers

As a side note, if you want to run beta commands against the MS Graph Beta endpoint, then you need to install a separate module “Microsoft.Graph.Beta” by running the following command. The beta endpoint includes APIs currently in preview and aren’t yet generally available. We don’t need the MS Graph beta endpoint to restrict non-admin users from creating tenants in Microsoft Entra ID.

# Install Graph Beta module
Install-Module -Name Microsoft.Graph.Beta

Related: Getting Started with Microsoft Graph PowerShell for Microsoft Entra ID.

Step 2: Connect to Microsoft Graph PowerShell

The next step is to connect to Microsoft Graph PowerShell using the following command with specified scopes: “Policy.ReadWrite.Authorization” to manage “Default user role permissions,” which include restricting non-admin users from creating tenants, allowing users to create security groups, allowing users to register applications, allowing to read other users, and more.

The following command will let you connect to Microsoft Graph interactively via delegated access where you want to authenticate with your account and consent, as shown in the figure below. You can also connect to Microsoft Graph non-interactively, such as through device authentication, access token, managed identity, and registered application, which is useful for CI/CD and automation.

# Connect to Microsoft Graph with specified Tenant and Scopes 
Connect-MgGraph -TenantId tenantname.onmicrosoft.com `
 -Scopes "Policy.ReadWrite.Authorization"
Microsoft Graph Command Line Tools
Microsoft Graph Command Line Tools

If you connect to Microsoft Graph without specifying scopes, you will have some default access, but you might not be able to do anything with it. You need to specify what kind of information you’re looking for. So, if you’re running without scopes, you can only check your user account.

Related: Check the Microsoft Graph permissions reference to learn about all the different scopes.

After connecting to Microsoft Graph, you can check the current status of allowing non-admin to create tenants by running the following command:

# Check the current status of AllowedToCreateTenants
Get-MgPolicyAuthorizationPolicy | `
 Select-Object -ExpandProperty DefaultUserRolePermissions | `
 Format-Table AllowedToCreateTenants
Get-MgPolicyAuthorizationPolicy
Get-MgPolicyAuthorizationPolicy

We can see that “AllowedToCreateTenants” is enabled in this tenant; let’s disable it programmatically.

Step 3: Disable Allowed To Create Tenants

You can execute the following command to disable Allowed To Create Tenants:

# Restrict non-admin users from creating tenants
# Create object params hashtable and set the "AllowedToCreateTenants" to $false
$params = @{
   DefaultUserRolePermissions = @{
      AllowedToCreateTenants = $false
   }
}
# Update default authorization policy
Update-MgPolicyAuthorizationPolicy -BodyParameter $params  

Last but not least, let’s verify and confirm the current status of allowing non-admin to create tenants:

# Check the current status of AllowedToCreateTenants
Get-MgPolicyAuthorizationPolicy | `
 Select-Object -ExpandProperty DefaultUserRolePermissions | `
 Format-Table AllowedToCreateTenants

We can see that “AllowedToCreateTenants” is disabled now.

How to Restrict Non-Admin Users from Creating Tenants in Microsoft Entra ID: A Step-by-Step Guide 1

That’s it, there you have it!

In Conclusion

Safeguarding control over your organization’s infrastructure is paramount, and restricting non-admin users from creating tenants in Microsoft Entra ID is a crucial step in achieving this goal. By following the steps outlined in this article, you can ensure that only authorized administrators can create tenants, mitigating the risks associated with unauthorized resource deployment and maintaining centralized governance.

Whether you choose to restrict non-admin users from creating tenants through the Microsoft Entra Admin Center portal or by utilizing Microsoft Graph PowerShell, implementing these measures reinforces the security and integrity of your organization’s Entra ID environment.

By proactively limiting tenant creation to authorized personnel, you can prevent the proliferation of shadow IT environments, streamline resource management, and bolster overall security posture.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.
Previous

Stay Ahead of Threats: Investigate Defender XDR Incident with Copilot for Security

Export Microsoft Sentinel Automation Rules With Ease

Next

Let us know what you think, or ask a question...