How to prevent a normal user to see a subscription or cancel or add a subscription?

Mohsen Akhavan 791

A regular user has access to some resource groups under a subscription. If users search "Subscription" in the Azure portal, they can see related subscriptions, and also they can "Cancel" or "Add" subscriptions.

I'm unsure if the user requests a "Cancel" subscription; does it work? But I'm looking for a way to disable it, or the user can not see the subscription.

Regarding the "Add" subscription, the user tried creating a free subscription with the company email address and personal information. Still, the created subscription shows under the company tenant, and we have a new billing profile.

For your information, the user has no access or hasn't been assigned a role in the IAM subscription.

User's image

1 answer

akinbade abiola 18,130 Reputation points

2024-08-14T22:10:55.2+00:00

"Cancel subscription" is controlled by RBAC permissions. Users without proper roles shouldn't be able to cancel, even if they can see the option.

See: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

You can also use an Azure Policy or a lock:

See: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deny-action

You can create also policies that prevent users from adding new subscriptions to the tenant.

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola
Please sign in to rate this answer.
Mohsen Akhavan 791 Reputation points

2024-08-15T14:38:56.23+00:00

@akinbade abiola Thanks for reply. Is there any document that prevents adding a new subscription with the policy?

Abdul 2,615 Reputation points Microsoft Vendor

2024-08-19T06:44:01.4733333+00:00

Hi Mohsen Akhavan,

To prevent users from adding new subscriptions to the tenant, you can create an Azure Policy. Follow the instructions in the link: https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/manage-azure-subscription-policy

"Have more questions? Feel free to ask. We're here to help."

Abdul 2,615 Reputation points Microsoft Vendor

2024-08-20T09:43:16.6066667+00:00

Hi Mohsen Akhavan,

Could you please provide an update on your issue?

If you have any questions or concerns, feel free to reach out to us. If the information provided has been helpful, please consider marking it as the accepted answer to close this case.

Mohsen Akhavan 791 Reputation points

2024-08-21T18:17:11.3033333+00:00

Hi Abdul,

It doesn't work. Let me explain more about the issue.
The user with user@mycompany.com can go to the "Subscription" in the Azure portal and click the "Add" button, a request for Free Subscription, and other options.
Users can sign up using their personal and billing information. However, the user's subscription shows in the mycompany.com tenant, and we also see a new billing profile.

I want to prevent this.

Mohsen Akhavan 791 Reputation points

2024-08-21T18:39:05.84+00:00

Hi Abdul,

It doesn't work. Let me explain more about the issue. A user with user@mycompany.com can go to the "Subscription" section of the company Azure portal page. There is an option that allows users to click on the "Add" button, and they are redirected to a page that requests "Free Subscription" or other options. Users can create a subscription with their personal and billing information, and then the user's subscription shows as mycompany.com tenant. Also, we have a new billing profile with the user's name. It doesn't make sense to me. I know the bill responsible is the user, but I saw a lot of subscriptions for my company tenant. I'm looking for a way to prevent this.

Abdul 2,615 Reputation points Microsoft Vendor

2024-08-22T08:19:03.22+00:00

Hi Mohsen Akhavan,

Ensure that users do not have unnecessary permissions that allow them to create new subscriptions:

Check User Roles: Go to Microsoft Entra ID-> Roles and administrators and review the roles assigned to users. Users with roles such as Owner or Contributor at the tenant or subscription level might be able to create new subscriptions.

Could you please check and confirm whether this feature is enabled or disabled in your tenant settings. You can check if this is configured by reviewing the Elevate access to manage all Azure subscriptions and management groups documentation.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to prevent a normal user to see a subscription or cancel or add a subscription?

1 answer

Your answer