Disable user ability to create subscriptions

JayCarper-5747 396 Reputation points

I want to have full control of all subscription creations in my tenant. If I disable the ability of end users to create new subscriptions in my tenant, how would subscriptions be created going forward and what would be negatively impacted?

(Is "AdHoc Subscriptions" the correct terminology for what I'm describing?)

0 comments No comments
Sign in to comment

3 answers

  1. Suchitra Suregaunkar 14,595 Reputation points • Microsoft External Staff • Moderator

    Hello JayCarper-5747 You can control end‑user subscription creation at the tenant level using a built‑in Microsoft Entra ID (Azure AD) setting.

    Microsoft provides an official tenant setting called “Users can create Azure subscriptions”.

    • Location: Microsoft Entra admin center → Users → User settings
    • When set to No, regular users cannot create:
      • Pay‑As‑You‑Go subscriptions
        • Trial subscriptions
          • Visual Studio / Dev‑Test subscriptions

    This is the only supported and documented method to block user‑initiated subscription creation.

    Official documentation: https://learn.microsoft.com/entra/fundamentals/users-default-permissions#restrict-non-admin-users-from-creating-tenants-and-subscriptions

    Disabling this setting does not stop all subscription creation. It only stops self‑service (user‑initiated) creation.

    Subscriptions can still be created only by authorized roles, depending on your billing model:

    Billing Model Who can create subscriptions How
    Enterprise Agreement (EA) Enterprise Admin / Account Owner EA portal or Azure portal
    Microsoft Customer Agreement (MCA) Billing Account Owner / Invoice Section Owner Azure portal or ARM API
    CSP Partner (via Partner Center) Partner Center
    Automation (ARM/Terraform) Service principal with billing permissions Microsoft.Subscription/aliases API

    Subscription creation via ARM (official): https://learn.microsoft.com/azure/azure-resource-manager/management/manage-subscriptions-azure-cli#create-subscription-alias

    MCA subscription creation: https://learn.microsoft.com/azure/cost-management-billing/manage/create-subscription

    Is “AdHoc Subscriptions” the correct term?

    No. “AdHoc Subscriptions” is not an official Microsoft term.

    Microsoft uses:

    • Self‑service subscriptions
    • User‑created subscriptions

    These are the subscriptions created when the tenant setting is enabled.

    Terminology reference: https://learn.microsoft.com/entra/fundamentals/users-default-permissions

    What is negatively impacted?

    This is the expected and documented impact:

    • Developers cannot self‑create sandbox or POC subscriptions
    • All new subscriptions must go through central IT / billing owners
    • Organizations may experience slower provisioning unless automation is implemented

    Existing subscriptions are not affected and Resource deployment inside existing subscriptions continues to work.

    Microsoft does not recommend relying only on manual creation. Instead:

    Disable user creation and Use automated subscription provisioning with governance

    Official guidance:

    • Azure Landing Zones
    • Management Groups + Azure Policy
    • ARM/Terraform subscription vending

    Azure Landing Zones (official): https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/

    Subscription vending pattern: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/subscriptions

    • Disabling the Entra ID setting only blocks self‑service user subscriptions
    • Admins and billing owners can still create subscriptions
    • “AdHoc Subscriptions” is not official terminology
    • Microsoft recommends pairing this control with automated provisioning

    Kindly let us know if the solution provided worked for you.

    If you need any further assistance, please feel free to reach out.

    If you found the comment helpful, please consider clicking "Upvote it".

    Thanks,

    Suchitra.

    1. Suchitra Suregaunkar 14,595 Reputation points • Microsoft External Staff • Moderator

      Hello JayCarper-5747

      If the answer is helpful, could you please click "Accept Answer" & "upvote" it and this helps other community members who may encounter a similar issue in the future.

      If you’re still experiencing the problem or need further clarification, please feel free to share additional information so we can continue investigating and assist you further.

      Thanks,

      Suchitra.

    Sign in to comment
  2. kagiyama yutaka 3,605 Reputation points

    I think turning off “Allow users to create Azure subscriptions” just stops self‑service creation. New subscriptions can only be created by EA/MCA billing roles, and existing ones keep working. Azure Policy doesn’t control subscription creation, and “AdHoc subscriptions” isn’t an Azure term.

    0 comments No comments
    Sign in to comment

  3. AI answer

    Disabling end-user ability to create Azure subscriptions means that only specific privileged roles or billing admins will be able to create new subscriptions, and normal users will no longer be able to self-serve new subscriptions. In practice, this centralizes subscription lifecycle control to billing/enterprise admins and removes “self-service” or “ad hoc” subscription creation.

    In the provided context, subscription creation in another tenant (for example, for a customer) works as follows:

    • Only users with specific billing or enterprise roles can create subscriptions:
      • For Enterprise Agreement: Enterprise Administrator or Account Owner.
      • For Microsoft Customer Agreement: Billing account owner/contributor, Billing profile owner/contributor, or Invoice section owner.
    • When creating a subscription in a different directory (tenant), a subscription creation request is generated. The designated subscription owner in the target tenant must accept the ownership request via email within seven days for the subscription to be created.
    • These requests are visible in the Azure portal under Subscriptions > View Requests to:
      1. The tenant global administrator of the source tenant where the request was made.
      2. The user who created the subscription request.
      3. The user who made the request via the Subscription – Alias REST API.

    If end users are blocked from creating subscriptions, going forward:

    • New subscriptions will be created only by:
      • Enterprise/billing admins (EA or MCA roles listed above), or
      • Designated central IT roles that have the necessary billing permissions.
    • End users will receive access to resources only through:
      • Being assigned to existing subscriptions via RBAC, or
      • Being made owners of subscriptions that central IT has created for them.

    Negative impacts of disabling end-user subscription creation include:

    • Loss of self-service agility: users cannot spin up their own subscriptions for experimentation or projects; they must request them from central IT.
    • Increased operational overhead: central IT must handle all subscription creation and ownership routing, including managing subscription creation requests and ensuring the right owner accepts them within the seven-day window.
    • Possible delays in project start: if request/approval processes are not streamlined, teams may wait longer for new subscriptions.

    “Ad hoc subscriptions” is not the term used in the referenced material. The documentation refers to:

    • “Subscriptions” in general, and
    • “Subscription creation requests” when creating in another tenant.

    The control being described is effectively disabling self-service subscription creation and requiring all subscriptions to be created and owned under central billing/enterprise administration.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.
Sign in to answer

Your answer