Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'


Non-privileged users can create tenants in the Azure AD and Entra administration portal under Manage tenant. The creation of a tenant is recorded in the Audit log as category 'DirectoryManagement' and activity 'Create Company'. Anyone who creates a tenant becomes the Global Administrator of that tenant. The newly created tenant doesn't inherit any settings or configurations.


Restricting tenant creation prevents unauthorized or uncontrolled deployment of resources and ensures that the organization retains control over its infrastructure. User generation of shadow IT could lead to multiple, disjointed environments that can make it difficult for IT to manage and secure the organization's data, especially if other users in the organization began using these tenants for business purposes under the misunderstanding that they were secured by the organization's security team.


Non-admin users will need to contact I.T. if they have a valid reason to create a tenant.


Restrict access to the Azure AD portal:

Navigate to Microsoft Entra admin center https://entra.microsoft.com/

Click to expand Identity> Users > User settings.

Set Restrict non-admin users from creating tenants to Yes then Save.

To remediate using PowerShell:

Connect to Microsoft Graph using Connect-MgGraph -Scopes 'Policy.ReadWrite.Authorization'

Run the following commands.

# Create hashtable and update the auth policy
$params = @{ AllowedToCreateTenants = $false }
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $params

Default Value:

No - Non-administrators can create tenants.

AllowedToCreateTenants is True

See Also


Item Details


References: 800-53|AC-6

Plugin: microsoft_azure

Control ID: 614091eacb379b62e14fe171ba94d8d6068e131c9691f63fb80431a1c9671e38