In this blog post we look at a new setting within the Azure AD portal. “Users can create Azure AD tenants“. Unfortunately, the setting is enabled by default. Not sure why, but I guess most organizations will want to turn this off. You can find the setting within the Azure AD portal, Settings / Users / User settings / Tenant creation.
‘Yes’ allows default users to create Azure AD tenants. ‘No’ allows only users with the global administrator or tenant creator roles to create Azure AD tenants. Anyone who creates a tenant will become the global administrator for that tenant.
Let’s look at what a standard user can do when the setting is enabled and when they have access to the Azure AD portal. Because there’s another setting that allows you to Restrict access to the Azure AD administration portal.
Select Manage tenants
Then select Create
Select a tenant type
And finally enter the name of the tenant
…. And after a few minutes Sam has its own tenant.
We also get an audit log for this activity with the activity type ‘Create Company‘
And at least we also get the Tenant ID that was created.
If you haven’t disabled the setting yet, here’s q KQL query to find out whether someone in your organization already created a tenant.
And here’s another query to find out who enabled the feature again, after you had disabled it.
If you use Microsoft Sentinel, you can create Analytic rules for both activities.
Below are the KQL queries.
// New Azure AD Tenant created AuditLogs | where OperationName == "Create Company" | extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend InitiatedByIP = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) | extend TenantId = tostring(TargetResources.id) | project TimeGenerated, OperationName,TenantId, InitiatedByUser, InitiatedByIP
// AzureAD - Allow users to create tenants - enabled AuditLogs | where OperationName == "Update authorization policy" | extend Settings = parse_json(tostring(TargetResources.modifiedProperties)) | mv-expand Settings | where Settings.displayName == "DefaultUserRolePermissions.AllowedToCreateTenants" | extend Setting = tostring(Settings.displayName) | extend newValue = tostring(Settings.newValue) | extend oldValue = tostring(Settings.oldValue) | extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend InitiatedByIP = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) | project TimeGenerated, OperationName,Setting, newValue, oldValue, InitiatedByUser, InitiatedByIP, SourceSystem | where newValue == "true"