CIS.M365.5.1.2.3 - Ensure
Overviewβ
5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
Non-privileged users can create tenants in the Microsoft Entra ID and Microsoft Entra administration portal under "Manage tenant". The creation of a tenant is recorded in the Audit log as category "DirectoryManagement" and activity "Create Company". By default, the user who creates a Microsoft Entra tenant is automatically assigned the Global Administrator role. The newly created tenant doesn't inherit any settings or configurations.
Rationaleβ
Restricting tenant creation prevents unauthorized or uncontrolled deployment of resources and ensures that the organization retains control over its infrastructure. User generation of shadow IT could lead to multiple, disjointed environments that can make it difficult for IT to manage and secure the organization's data, especially if other users in the organization began using these tenants for business purposes under the misunderstanding that they were secured by the organization's security team.
Impactβ
Non-admin users will need to contact I.T. if they have a valid reason to create a tenant.
Remediation action:β
- Navigate to Microsoft 365 Entra admin center.
- Click to expand Entra ID > Users > User settings.
- Set Restrict non-admin users from creating tenants to Yes then Save.
PowerShellβ
- Connect to Microsoft Graph using
Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization" - Run the following commands:
# Create hashtable and update the auth policy
$params = @{ AllowedToCreateTenants = $false }
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $params
Related linksβ
- Microsoft 365 Entra admin center
- Restrict member users' default permissions
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 175
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CIS.M365.5.1.2.3 |
| Severity | Unknown |
| Suite | CIS |
| Category | CIS E3 Level 1 |
| PowerShell test | Test-MtCisCreateTenantDisallowed |
| Tags | CIS, CIS E3, CIS E3 Level 1, CIS E5, CIS E5 Level 1, CIS M365 v6.0.1, CIS.M365.5.1.2.3, L1, Security |
Sourceβ
- Pester test:
tests/cis/Test-MtCisCreateTenantDisallowed.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisCreateTenantDisallowed.ps1