MT.1068 - Restrict non-admin users from creating tenants
Overviewβ
This test checks if tenant creation is restricted to admin users only.
"Yes" restricts the creation of Microsoft Entra ID tenants to the global administrator or tenant creator roles. "No" allows non-admin users to create Microsoft Entra ID tenants. Anyone who creates a tenant will become the global administrator for that tenant.
Tenant creation should be restricted to admin users who have undergone proper training and understand the responsibilities of tenant management, security governance, and compliance requirements.
Remediation actionβ
This setting can be changed via user settings in the Microsoft Entra or Azure portal or via Microsoft Graph API / Graph PowerShell Module.
Admin Portal:
- Go to Entra Admin Center
- Navigate to Users β User settings
- Set Restrict non-admin users from creating tenants to Yes
- Click Save
Use the following PowerShell commands to restrict tenant creation:
# Connect to Microsoft Graph with appropriate permissions
Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"
# Get the current authorization policy
$authPolicy = Get-MgPolicyAuthorizationPolicy
# Update the policy to restrict tenant creation
$params = @{
defaultUserRolePermissions = @{
allowedToCreateTenants = $false
}
}
Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId $authPolicy.Id -BodyParameter $params
Related linksβ
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1068 |
| Severity | Medium |
| Suite | Maester |
| Category | Entra |
| PowerShell test | Test-MtTenantCreationRestricted |
| Tags | Entra, MT.1068 |
Sourceβ
- Pester test:
tests/Maester/Entra/Test-MtTenantCreationRestricted.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtTenantCreationRestricted.ps1