Share via

How do we prevent non-admin users from creating their own azure subscriptions when they sign up for a free Azure trial using their corporate microsoft account? We do not have an Enterprise agreement.

AShannon 20 Reputation points
2025-07-24T00:26:33.2833333+00:00

Hi Q&A,

I recently discovered an unknown Azure subscription under our "Tenant Root Group" management group in the Azure Admin portal. This appears to have been created by a non-admin standard organisation user that does not have any elevated permissions.

They have simply used the https://signup.azure.com/ URL to set up a free trial subscription using their corporate email address/account, which after 30 days (probably) becomes a PAYG subscription, I suspect the billing might also default to the profile stored against the tenant root group (i.e the company billing method).

This user was made an owner of this subscription and can go ahead and create any resources as required. Seems like a pretty gaping security hole, especially if the account had been compromised and allowed an attacker to gain access.

I cannot see any simple way to blocking this action at the tenant level or via the Tenant Root Group permissions, and it appears many other people have raised a similar issue. Please can you advise what course of action can be taken to prevent this from happening. We do not want users creating their own subscriptions in our corporate tenant.

As per some of the other online responses, we do not have an EA, so the option to ask Microsoft to block this at the EA level is not available to us.

I have seen some suggestions around creating a "dummy" management group under the root, and setting this as the default for new subscription creation, and then configuring the permissions to block all resource creation.

If this is the only practical solution, please provide some clear up-to date instructions on how to implement this correctly?

Appreciate any help offered.

Thanks

Andrew

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
0 comments
Accepted answer
  1. Andrew Shannon 75 Reputation points
    2025-07-29T01:28:56.1433333+00:00

    Thank you for the response, I can confirm this solution has worked as described.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Suchitra Suregaunkar 170 Reputation points Microsoft External Staff Moderator
    2025-07-28T10:59:38.16+00:00

    Hello AShannon,

    Thank you for posting you query on Microsoft Q&A platform.

    Currently, there is no setting or process that can fully prevent the creation of personal subscriptions using corporate credentials. However, there are several ways to limit this based on your specific needs. If you have an Enterprise Agreement with Microsoft Azure, you can submit a support ticket to the Microsoft Azure Subscription Management and Support team from your Azure Admin Account to request blocking non-EA subscription sign-ups from your EA tenant.

    If you do not have an Enterprise Agreement with Microsoft but still want to control subscriptions created on your Microsoft Entra ID Tenant by employees using corporate credentials, As a Global Admin, you can elevate your access to manage all subscriptions created within your tenant.

    Referral Link : Elevate access to manage all Azure subscriptions and management groups

    Another way to block users from creating of resources in your corporate Azure AD tenant, using Management Group policies.

    1.Go to Management Groups in Azure

    2.Create a new Management Group under the "Tenant Root Group"

    Name as "Non-Company Resources"

    3.Click on Settings

    1.Change the default manage group for subscriptions to "Non-Company Resources"

    2.Turn on "require write permissions for creating new management groups"

    3.Click back to "overview"

    4.Under the Tenant Root Group (click on it under Management Groups)

    5.Expand Governance and click on Policy

    6.Expand Authoring and click on Definitions

    7.Search for "Not allowed"

    8.Duplicate the definition

    9.Change the definition location to your new Management Group

    10.Change name to "Deny all resources"

    11.Remove all in the Policy Rule and paste in the following to the Policy Rule

    {
  "mode": "All",
  "policyRule": {
    "if": {
      "field": "type",
      "like": "Microsoft.*"
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}
    1. Create
    2. Now, go back to your Management Groups, and click into the New management Group.
    3. Expand Governance -> Policy
    • you'll land on the Compliance tab
    • Assign Policy
    • Make sure scope is set to the "Non-CompanyResources". It should default here if you selected it in the Management Group.
    • For the Policy Definition, search for "Deny All" and select your new definition.
    • Add
    • Review and Create, then Create
    • After a minute and a refresh you should see it assigned.
    1. Now we can move subscriptions to the new Management Group
    2. Login into the account with the Subscription that we moved and try to create a new Resource Group and it will prevent creation of new resources.

    Thanks, Suchitra.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.