turbot/azure_compliance

Query: iam_user_not_allowed_to_create_tenants

Usage

powerpipe query azure_compliance.query.iam_user_not_allowed_to_create_tenants

SQL

with distinct_tenant as (
select
distinct tenant_id,
subscription_id,
_ctx
from
azure_tenant
)
select
a.id as resource,
case
when a.default_user_role_permissions ->> 'allowedToCreateTenants' = 'true' then 'alarm'
else 'ok'
end as status,
case
when a.default_user_role_permissions ->> 'allowedToCreateTenants' = 'true' then a.display_name || ' allows user to create tenants.'
else a.display_name || ' restricts the user to create tenants.'
end as reason,
t.tenant_id
from
distinct_tenant as t,
azuread_authorization_policy as a;

Controls

The query is being used by the following controls: