You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/cost-management-billing/manage/manage-azure-subscription-policy.md
+16-5Lines changed: 16 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
title: Manage Azure subscription policies
3
3
description: Learn how to manage Azure subscription policies to control the movement of Azure subscriptions from and into directories.
4
-
author: PreetiSGit
4
+
author: PreetiOne
5
5
ms.service: cost-management-billing
6
6
ms.subservice: billing
7
7
ms.topic: how-to
@@ -12,28 +12,38 @@ ms.author: presharm
12
12
13
13
# Manage Azure subscription policies
14
14
15
-
This article helps you configure Azure subscription policies for subscription operations to control the movement of Azure subscriptions from and into directories.
15
+
This article helps you to configure Azure subscription policies to control the movement of Azure subscriptions from and into directories. The default behavior of these two policies is set to **Allow Everyone**. Note that the setting of **Allow Everyone** allows all authorized users, including authorized guest users on a subscription to be able to transfer them. It does not mean all users of a directory.
16
16
17
17
## Prerequisites
18
18
19
19
- Only directory [global administrators](../../active-directory/roles/permissions-reference.md#global-administrator) can edit subscription policies. Before editing subscription policies, the global administrator must [Elevate access to manage all Azure subscriptions and management groups](../../role-based-access-control/elevate-access-global-admin.md). Then they can edit subscription policies.
20
20
- All other users can only read the current policy setting.
21
+
- Subscriptions transferred into or out of a directory must remain associated with a Billing Tenant to ensure billing occurs correctly.
21
22
22
23
## Available subscription policy settings
23
24
24
25
Use the following policy settings to control the movement of Azure subscriptions from and into directories.
25
26
26
27
### Subscriptions leaving a Microsoft Entra ID directory
27
28
28
-
The policy allows or stops users from moving subscriptions out of the current directory. [Subscription owners](../../role-based-access-control/built-in-roles.md#owner) can [change the directory of an Azure subscription](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md) to another one where they're a member. It poses governance challenges, so global administrators can allow or disallow directory users from changing the directory.
29
+
The policy allows or stops users from moving subscriptions out of the current directory. [Subscription owners](../../role-based-access-control/built-in-roles.md#owner) can [change the directory of an Azure subscription](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md) or use transfer features available on the Azure portal and APIs to another directory where they're a member. Global administrators can allow or disallow directory users from changing the directory or transfer of subscriptions.
30
+
- Set this policy to **Permit no one** if you do not want subscriptions to be transferred out of your directory. This policy applies to all authorized subscriptions users including authorized guest users of your directory.
31
+
- Set this policy to **Allow Everyone** if you want all authorized users including authorized guest users to be able to transfer subscriptions out of your directory.
29
32
30
33
### Subscriptions entering a Microsoft Entra ID directory
31
34
32
-
The policy allows or stops users from other directories, who have access in the current directory, to move subscriptions into the current directory. [Subscription owners](../../role-based-access-control/built-in-roles.md#owner) can [change the directory of an Azure subscription](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md) to another one where they're a member. It poses governance challenges, so global administrators can allow or disallow directory users from changing the directory.
35
+
The policy allows or stops users from other directories, who have access in the current directory, to move subscriptions into the current directory. [Subscription owners](../../role-based-access-control/built-in-roles.md#owner) can [change the directory of an Azure subscription](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md) or transfer them to another directory where they're a member. Global administrators can allow or disallow directory users from transferring these subscriptions.
36
+
- Set this policy to **Permit no one** if you do not want subscriptions to be transferred into your directory. This policy applies to all authorized users, including authorized guest users of your directory.
37
+
- Set this policy to **Allow Everyone** if you want all authorized users, including authorized guest users in your directory to be able to transfer subscriptions into your directory.
33
38
34
39
### Exempted Users
35
40
36
-
For governance reasons, global administrators can block all subscription directory moves - in to or out of the current directory. However they might want to allow specific users to do either operations. For either situation, they can configure a list of exempted users that allows the users to bypass the policy setting that applies to everyone else.
41
+
For governance reasons, global administrators can block all subscription directory moves - in to or out of the current directory. However they might want to allow specific users to do both operations. For both situations, they can configure a list of exempted users that allows these users to bypass all the policy settings that apply to everyone else.
42
+
43
+
#### Important note
44
+
Authorized users (including guest users) in your directory can create Azure subscriptions in another directory where they have billing permissions and then transfer those subscriptions into your Entra ID directory. If you don't want to allow this, you should set one or both of the following policies:
45
+
- Subscriptions leaving Entra ID directory should be set to **Permit no one**.
46
+
- Subscriptions entering Entra ID directory should be set to **Permit no one**.
37
47
38
48
## Setting subscription policy
39
49
@@ -53,3 +63,4 @@ Non-global administrators can still navigate to the subscription policy area to
53
63
## Next steps
54
64
55
65
- Read the [Cost Management + Billing documentation](../index.yml)
0 commit comments