Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'
Why This Matters
Subscription owners can move Azure subscriptions between Microsoft Entra tenants, which carries significant security risks. When a subscription moves to another tenant, it may fall under different administrative controls, potentially exposing sensitive resources to unauthorized users or bad actors. Restricting this capability to no one ensures that only properly authorized personnel can make such changes, preventing data loss or unapproved modifications.
What Aether365 Checks
Aether365 verifies that the subscription policy settings for "Subscription leaving Microsoft Entra tenant" and "Subscription entering Microsoft Entra tenant" are both configured to "Permit no one." This check appears in the Aether365 dashboard under the azure-subscription-security checks category.