Information
Non-privileged users can create tenants in the Entra administration portal under Manage tenant. The creation of a tenant is recorded in the Audit log as category 'DirectoryManagement' and activity 'Create Company'. Anyone who creates a tenant becomes the Global Administrator of that tenant. The newly created tenant doesn't inherit any settings or configurations.
Rationale:
Restricting tenant creation prevents unauthorized or uncontrolled deployment of resources and ensures that the organization retains control over its infrastructure. User generation of shadow IT could lead to multiple, disjointed environments that can make it difficult for IT to manage and secure the organization's data, especially if other users in the organization began using these tenants for business purposes under the misunderstanding that they were secured by the organization's security team.
Impact:
Non-admin users will need to contact I.T. if they have a valid reason to create a tenant.
Solution
To remediate using the UI:
Navigate to Microsoft Entra admin center https://entra.microsoft.com/
Click to expand Identity> Users > User settings.
Set Restrict non-admin users from creating tenants to Yes then Save.
To remediate using PowerShell:
Connect to Microsoft Graph using Connect-MgGraph -Scopes 'Policy.ReadWrite.Authorization'
Run the following commands.
# Create hashtable and update the auth policy
$params = @{ AllowedToCreateTenants = $false }
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $params
Default Value:
No - Non-administrators can create tenants.
AllowedToCreateTenants is True