Intro
There is not direct way to deny administrators the ability to create free trial, Pay-as-you-go and Azure for Students subscriptions in Azure.
However their are a few ways to limit and monitor creations. These settings should every organization enable to limit the possibility for users to create subscriptions and resources that is not govern by IT department, SOC team e.g.
Limits
Limit tenant creation
In the Azure Portal, navigate to Entra ID > User Settings.
Enable the toggle “Restrict non-admin users from creating tenants”
Limit access to Microsoft Entra Administration Portal
In the Azure Portal, navigate to Entra ID > User Settings.
Enable the toggle “Restrict access to Microsoft Entra admin center”
Be aware that Microsoft recommends creation a CA policy also:
Limit access to Azure Portal with CA policy
In the Azure portal, go to Microsoft Entra Conditional Access Policies
And then under policies, chose to add new policy:
Give the policy a name:
Include all users:
And exclude administrators:
Under Target Resources, include Windows Azure Services Management API
Under Grant, chose to block access:
Then chose to have the policy in report-only mode and then create the policy:
You should monitor if this new conditional access policy will block any valid administrator or user on something unexpected before enabling the policy in the ON mode.
Monitor
Monitor created subscriptions
using this simple PowerShell script (requires Az CLI installed), an administrator with global administrator permissions in Entra ID, can get access to see all subscriptions within the tenant and thereby look for any subscriptions not under CSP or EA agreement.
(At the moment only PAYG subs are shown, I have not found quotaID for trials and student subscriptions yet)
# Login to Az CLI - needed to grant your account "User Access Administrator role" in Entra ID
# You need to have Az CLI installed before you can run below command
az login
# Grant your signed-in administator the "User Access Administrator role" in Entra ID. You need to be Global Administrator in Entra ID before this command will work
az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"
$subs = $(az account subscription list)
$subsArray = $subs | convertfrom-JSON
Foreach ($s in $subsArray)
{
$Type = $s.SubscriptionPolicies.QuotaId.Split("_")[0]
if($Type -eq "PayAsYouGo")
{
write-host "FOUND THE FOLLOWING PAY-AS-YOU-GO SUBSCRIPTION" -ForegroundColor Red
write-host "Name:" $s.displayName -ForegroundColor Yellow
write-host "Id:" $s.SubscriptionId -ForegroundColor Yellow
write-host "State:" $s.State -ForegroundColor Yellow
}
}
# Remove "User Access Administrator role" in Entra ID
$UPN=$(az ad signed-in-user show --query userPrincipalName -o tsv)
az role assignment delete --assignee $UPN --role "User Access Administrator" --scope "/"
There are multiple ways of configuring automatic monitoring. One way is to use Logic app combined with log analytics and alert rules. This is descriped in this article: Monitoring for Azure Subscription Creation | Microsoft Community Hub
Another way is to create an automation account in Azure, grant reader permissions on Tenant Root Management group for the managed identity of the automation account, modify the script to output shown subscriptions to email (using Azure Communication Systems with Graph API or SendGrid) and let it run at a scheduled interval.
If you do not want to use a script, the same feature can be enabled from Azure Portal. Go to Entra ID and then Properties. Then enable Access management for Azure resources.
Now you can see all subscriptions under Subscriptions in the Azure portal
.
(remember to remove filter)
REMEMBER to remove the permission again after usage. Do not let the permission stay on.
Educate
Each user in your company should understand not to create their own subscriptions, even if they have the possibility to. These subscriptions are not govern in any way like your CSP or EA subscriptions usually are with platform tools, landing zone deployments, security guardrails from Azure Policy e.g.
Comments