Share via

Disable user ability to create subscriptions

JayCarper-5747 396 Reputation points
2026-06-08T19:06:38.97+00:00

I want to have full control of all subscription creations in my tenant. If I disable the ability of end users to create new subscriptions in my tenant, how would subscriptions be created going forward and what would be negatively impacted?

(Is "AdHoc Subscriptions" the correct terminology for what I'm describing?)

Azure Policy
Azure Policy

An Azure service that is used to implement corporate governance and standards at scale for Azure resources.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Suchitra Suregaunkar 14,595 Reputation points Microsoft External Staff Moderator
    2026-06-10T19:43:26.7233333+00:00

    Hello JayCarper-5747 You can control end‑user subscription creation at the tenant level using a built‑in Microsoft Entra ID (Azure AD) setting.

    Microsoft provides an official tenant setting called “Users can create Azure subscriptions”.

    • Location: Microsoft Entra admin center → Users → User settings
    • When set to No, regular users cannot create:
      • Pay‑As‑You‑Go subscriptions
        • Trial subscriptions
          • Visual Studio / Dev‑Test subscriptions

    This is the only supported and documented method to block user‑initiated subscription creation.

    Official documentation: https://learn.microsoft.com/entra/fundamentals/users-default-permissions#restrict-non-admin-users-from-creating-tenants-and-subscriptions

    Disabling this setting does not stop all subscription creation. It only stops self‑service (user‑initiated) creation.

    Subscriptions can still be created only by authorized roles, depending on your billing model:

    Billing Model Who can create subscriptions How
    Enterprise Agreement (EA) Enterprise Admin / Account Owner EA portal or Azure portal
    Microsoft Customer Agreement (MCA) Billing Account Owner / Invoice Section Owner Azure portal or ARM API
    CSP Partner (via Partner Center) Partner Center
    Automation (ARM/Terraform) Service principal with billing permissions Microsoft.Subscription/aliases API

    Subscription creation via ARM (official): https://learn.microsoft.com/azure/azure-resource-manager/management/manage-subscriptions-azure-cli#create-subscription-alias

    MCA subscription creation: https://learn.microsoft.com/azure/cost-management-billing/manage/create-subscription

    Is “AdHoc Subscriptions” the correct term?

    No. “AdHoc Subscriptions” is not an official Microsoft term.

    Microsoft uses:

    • Self‑service subscriptions
    • User‑created subscriptions

    These are the subscriptions created when the tenant setting is enabled.

    Terminology reference: https://learn.microsoft.com/entra/fundamentals/users-default-permissions

    What is negatively impacted?

    This is the expected and documented impact:

    • Developers cannot self‑create sandbox or POC subscriptions
    • All new subscriptions must go through central IT / billing owners
    • Organizations may experience slower provisioning unless automation is implemented

    Existing subscriptions are not affected and Resource deployment inside existing subscriptions continues to work.

    Microsoft does not recommend relying only on manual creation. Instead:

    Disable user creation and Use automated subscription provisioning with governance

    Official guidance:

    • Azure Landing Zones
    • Management Groups + Azure Policy
    • ARM/Terraform subscription vending

    Azure Landing Zones (official): https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/

    Subscription vending pattern: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/subscriptions

    • Disabling the Entra ID setting only blocks self‑service user subscriptions
    • Admins and billing owners can still create subscriptions
    • “AdHoc Subscriptions” is not official terminology
    • Microsoft recommends pairing this control with automated provisioning

    Kindly let us know if the solution provided worked for you.

    If you need any further assistance, please feel free to reach out.

    If you found the comment helpful, please consider clicking "Upvote it".

    Thanks,

    Suchitra.

    Was this answer helpful?

  2. kagiyama yutaka 3,685 Reputation points
    2026-06-08T22:36:34.94+00:00

    I think turning off “Allow users to create Azure subscriptions” just stops self‑service creation. New subscriptions can only be created by EA/MCA billing roles, and existing ones keep working. Azure Policy doesn’t control subscription creation, and “AdHoc subscriptions” isn’t an Azure term.

    Was this answer helpful?

    0 comments

  3. AI answer

    2026-06-08T19:06:52.39+00:00

    Disabling end-user ability to create Azure subscriptions means that only specific privileged roles or billing admins will be able to create new subscriptions, and normal users will no longer be able to self-serve new subscriptions. In practice, this centralizes subscription lifecycle control to billing/enterprise admins and removes “self-service” or “ad hoc” subscription creation.

    In the provided context, subscription creation in another tenant (for example, for a customer) works as follows:

    • Only users with specific billing or enterprise roles can create subscriptions:
      • For Enterprise Agreement: Enterprise Administrator or Account Owner.
      • For Microsoft Customer Agreement: Billing account owner/contributor, Billing profile owner/contributor, or Invoice section owner.
    • When creating a subscription in a different directory (tenant), a subscription creation request is generated. The designated subscription owner in the target tenant must accept the ownership request via email within seven days for the subscription to be created.
    • These requests are visible in the Azure portal under Subscriptions > View Requests to:
      1. The tenant global administrator of the source tenant where the request was made.
      2. The user who created the subscription request.
      3. The user who made the request via the Subscription – Alias REST API.

    If end users are blocked from creating subscriptions, going forward:

    • New subscriptions will be created only by:
      • Enterprise/billing admins (EA or MCA roles listed above), or
      • Designated central IT roles that have the necessary billing permissions.
    • End users will receive access to resources only through:
      • Being assigned to existing subscriptions via RBAC, or
      • Being made owners of subscriptions that central IT has created for them.

    Negative impacts of disabling end-user subscription creation include:

    • Loss of self-service agility: users cannot spin up their own subscriptions for experimentation or projects; they must request them from central IT.
    • Increased operational overhead: central IT must handle all subscription creation and ownership routing, including managing subscription creation requests and ensuring the right owner accepts them within the seven-day window.
    • Possible delays in project start: if request/approval processes are not streamlined, teams may wait longer for new subscriptions.

    “Ad hoc subscriptions” is not the term used in the referenced material. The documentation refers to:

    • “Subscriptions” in general, and
    • “Subscription creation requests” when creating in another tenant.

    The control being described is effectively disabling self-service subscription creation and requiring all subscriptions to be created and owned under central billing/enterprise administration.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.