Can't restrict Subscription creation with Azure Policy.

Question

We created the policy that should restrict the creation of new subscription, if it has any or all of the specific tags missing.

The policy is not restricting the creation of new subscription but, is marking the subscription "non-compliant" after it has been created, if any given tag is missing.

The Policy rule is like below:

"policyRule": {

  "if": {

    "allOf": [

      {

        "equals": "Microsoft.Resources/subscriptions",

        "field": "type"

      },

      {

        "anyOf": [

          {

            "exists": "false",

            "field": "tags['ProjectName']"

          },

          {

            "exists": "false",

            "field": "tags['Environment']"

          }

        ]

      }

    ]

  },

  "then": {

    "effect": "Deny"

  }

}  

Is is possible to restrict subscription creation using Azure Policy?

Answer 1

There is no control in Entra to disable subscription signups (other than license-based subscriptions). There is an internal process for blocking non EA subscriptions through a support ticket and we can only block non-EA offer sign-ups.

This is referenced from: https://learn.microsoft.com/en-us/answers/questions/701756/prevent-standard-users-from-creating-subscriptions

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola

Answer 2

I'm trying similar thing but not able to enforce deny subscription creation, only after creation it show up as non-compliant