Preventing Tenant Creation in Entra ID [CHK-1155]
This check validates if users can create new tenants in Entra ID. The creator of a new tenant automatically becomes its global administrator.
Rationale
Preventing the creation of new tenants is recommended to avoid the emergence of multiple, disconnected environments. This can complicate IT's task of securing organizational data, especially if users start using these tenants for business purposes, assuming they are protected by the organization's security team.
Fix
An automated fix is available through Attic.
To fix it manually:
- Navigate to Microsoft Entra Admin Center
- Expand Azure Active Directory
- Select Users then User settings
- Set Restrict non-admin users from creating tenants (preview) to Yes and click Save
Impact
This fix ensures that only users with the "Tenant Creator" role can create new tenants, preventing regular users from creating disconnected environments.
More Information
For more details, visit Microsoft's documentation on user default permissions.