Hey everyone! I'm diving into Azure management for my organization, and I've hit a roadblock. I learned from Microsoft support that there's no straightforward way to completely stop non-admins from creating their own Azure subscriptions (like through signup.azure.com). They can mistakenly use corporate credentials to set up personal subscriptions, which complicates our governance efforts. Microsoft suggested we could impose limits at the billing account level, but that doesn't really stop it. Does anyone have strategies or scripts in place to detect, block, or at least monitor this situation? I'd appreciate any tips! Thanks!
6 Answers
So anyone with a corporate email can just sign up and rack up charges for the organization?
What we usually do is set up a dedicated management group for all new subscriptions. You can tweak settings in the management group to apply a policy that blocks all actions. While this doesn't stop subscription creation itself, it prevents any subsequent costs from resources created. It’s funny how one customer figured they didn't need this, but then out of nowhere, a few subscriptions popped up, leading to a flurry of support tickets!
Yep, we do the same! Making it the default management group means any new subscription just shows up there. Super easy and effective.
This approach basically saves you from chaos.
That’s not entirely accurate. You can actually restrict subscription options right under your tenant settings.
Does this also apply to resources like those automatically created by Power BI?
If you're under an Enterprise Agreement or an MCA, reach out to support and ask them to restrict the offer types for new subscriptions in your directory. This way, only those linked to the billing account can create new subscriptions.
We don’t give users billing account access and instructed Microsoft to block any subscription types unrelated to dev test or tied to our MCA. They can indeed restrict subscription types, but you’ll have to submit a support request. We turned off some offer types our developers were using without oversight, and it’s worked well since, although there’s still that one procurement guy who circumnavigated us by going straight to our Microsoft account rep!
Not exactly, they have to use their payment info, but yeah, otherwise they can.