Non Admin Tenant Creation Blocked

<# .SYNOPSIS Non-Admin Tenant Creation Blocked .DESCRIPTION Prevents non-admin users from creating new Azure AD tenants .NOTES NL Baseline v2.0 #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param([switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Non-Admin Tenant Creation Blocked" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome $authPolicy = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/policies/authorizationPolicy" $usersCanCreateTenants = $authPolicy.defaultUserRolePermissions.allowedToCreateTenants Write-Host " Users can create tenants: $(if($usersCanCreateTenants){'ALLOWED'}else{'BLOCKED'})" -ForegroundColor $( if (-not $usersCanCreateTenants) { 'Green' }else { 'Red' } ) Write-Host "`n Security Impact:" -ForegroundColor Cyan Write-Host " • Prevents shadow tenant creation" -ForegroundColor Gray Write-Host " • Reduces data sprawl" -ForegroundColor Gray Write-Host " • Enforces IT governance" -ForegroundColor Gray if (-not $usersCanCreateTenants) { Write-Host "`n[OK] COMPLIANT - Tenant creation restricted to admins" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT - Users can create tenants!" -ForegroundColor Red exit 1 } } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization" -ErrorAction Stop -NoWelcome $body = @{ defaultUserRolePermissions = @{ allowedToCreateTenants = $false } } | ConvertTo-Json Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/policies/authorizationPolicy/authorizationPolicy" -Body $body -ErrorAction Stop Write-Host "`n[OK] Tenant creation blocked for non-admins" -ForegroundColor Green exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Revert { try { Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization" -ErrorAction Stop -NoWelcome $body = @{ defaultUserRolePermissions = @{ allowedToCreateTenants = $true } } | ConvertTo-Json Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/policies/authorizationPolicy/authorizationPolicy" -Body $body -ErrorAction Stop Write-Host " ⚠️ Users can now create tenants" -ForegroundColor Yellow exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Revert) { Invoke-Revert } elseif ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring | -Remediation | -Revert" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan }