General
This check verifies whether users are able to create new tenants in Entra ID (formerly AzureAD). Anyone who creates a new tenant automatically becomes its global administrator.
Rationale
Even though a new tenant will have no relation to the one from which the user originates, it is still recommended to block the creation of new tenants. The risk is that multiple, disconnected environments may arise, making it complicated for IT to secure organizational data. Especially if users within the organization start using such tenants for business purposes and mistakenly assume they are protected by the organization's security team.
Attic Fix
A fix is available for this check! It will be offered via a ticket in Attic, which you can then accept.
Manual Instruction
Follow these steps to adjust the setting:
- Navigate to Microsoft Entra Admin Center https://aad.portal.azure.com
- Click to expand Azure Active Directory
- Select Users and then User settings
- Change the setting Restrict non-admin users from creating tenants (preview) to Yes and click Save
CIS Mapping
- CIS Item: 1.1.22 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' (Manual)
- Profile: E3 Level 1
More Information
Comments
0 comments
Please sign in to leave a comment.