Prevent all the users from creating the subscription directly under the Azure Tenant level

Question

I'm trying to write a custom policy to prevent all kind of users from creating the subscription directly under the Tenant level. Rather, the subscriptions should only be created under the Management group level.

Tried multiple ways in authoring and testing the poicy but had no luck.

Any help would be highly appreciated.

I tried multiple combinations with the following Aliases targeting to Root Management group and Tenant "Microsoft.Subscription/subscriptions", "Microsoft.Resources/subscriptions"

but not able to make it functional.

JSvedberg · Answer 1 · 2023-03-02T18:39:23.917

0

You can change the default management group for new subscriptions in your tenant: Management Group blade -> Settings.

Then you can enable that write permissions should be required in the management group where new subscriptions are created.

https://learn.microsoft.com/en-us/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---default-management-group

edited Mar 02 '23 at 18:39

answered Mar 02 '23 at 18:37

JSvedberg

1
1

Not sure whether this can be achieved through the Azure policy. Yes, I agree that we can do the same manually but I'm looking in terms of an Azure policy. – Shan Mar 02 '23 at 21:01

Prevent all the users from creating the subscription directly under the Azure Tenant level

1 Answers1