Disable user ability to create subscriptions

Question

I want to have full control of all subscription creations in my tenant. If I disable the ability of end users to create new subscriptions in my tenant, how would subscriptions be created going forward and what would be negatively impacted?

(Is "AdHoc Subscriptions" the correct terminology for what I'm describing?)

Answer 1

I think turning off “Allow users to create Azure subscriptions” just stops self‑service creation. New subscriptions can only be created by EA/MCA billing roles, and existing ones keep working. Azure Policy doesn’t control subscription creation, and “AdHoc subscriptions” isn’t an Azure term.

Answer 2

Disabling end-user ability to create Azure subscriptions means that only specific privileged roles or billing admins will be able to create new subscriptions, and normal users will no longer be able to self-serve new subscriptions. In practice, this centralizes subscription lifecycle control to billing/enterprise admins and removes “self-service” or “ad hoc” subscription creation.

In the provided context, subscription creation in another tenant (for example, for a customer) works as follows:

• Only users with specific billing or enterprise roles can create subscriptions:
  • For Enterprise Agreement: Enterprise Administrator or Account Owner.
  • For Microsoft Customer Agreement: Billing account owner/contributor, Billing profile owner/contributor, or Invoice section owner.
• When creating a subscription in a different directory (tenant), a subscription creation request is generated. The designated subscription owner in the target tenant must accept the ownership request via email within seven days for the subscription to be created.
• These requests are visible in the Azure portal under Subscriptions > View Requests to:
  1. The tenant global administrator of the source tenant where the request was made.
  2. The user who created the subscription request.
  3. The user who made the request via the Subscription – Alias REST API.

If end users are blocked from creating subscriptions, going forward:

• New subscriptions will be created only by:
  • Enterprise/billing admins (EA or MCA roles listed above), or
  • Designated central IT roles that have the necessary billing permissions.
• End users will receive access to resources only through:
  • Being assigned to existing subscriptions via RBAC, or
  • Being made owners of subscriptions that central IT has created for them.

Negative impacts of disabling end-user subscription creation include:

• Loss of self-service agility: users cannot spin up their own subscriptions for experimentation or projects; they must request them from central IT.
• Increased operational overhead: central IT must handle all subscription creation and ownership routing, including managing subscription creation requests and ensuring the right owner accepts them within the seven-day window.
• Possible delays in project start: if request/approval processes are not streamlined, teams may wait longer for new subscriptions.

“Ad hoc subscriptions” is not the term used in the referenced material. The documentation refers to:

• “Subscriptions” in general, and
• “Subscription creation requests” when creating in another tenant.

The control being described is effectively disabling self-service subscription creation and requiring all subscriptions to be created and owned under central billing/enterprise administration.

---

References:

• Create an Enterprise Agreement subscription
• Create a Microsoft Customer Agreement subscription
• Azure Stack Hub services, plans, offers, subscriptions overview