{
	"id": "b9810bef-fa1e-4b4d-9c5b-7be33b852bdc",
	"created_at": "2026-04-06T00:09:42.034634Z",
	"updated_at": "2026-04-10T03:21:56.383969Z",
	"deleted_at": null,
	"sha1_hash": "7b33d38f66a1c46c376863c4861736de65cd5695",
	"title": "Manage Azure subscription policies - Microsoft Cost Management",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 428025,
	"plain_text": "Manage Azure subscription policies - Microsoft Cost Management\r\nBy Nicholak-MS\r\nArchived: 2026-04-05 18:56:31 UTC\r\nThis article helps you to configure Azure subscription policies to control the movement of Azure subscriptions\r\nfrom and into directories. The default behavior of these two policies is set to Allow Everyone. Note that the\r\nsetting of Allow Everyone allows all authorized users, including authorized guest users on a subscription to be\r\nable to transfer them. It does not mean all users of a directory.\r\nPrerequisites\r\nOnly directory global administrators with direct role assignment can edit subscription policies. Before\r\nediting subscription policies, the global administrator must Elevate access to manage all Azure\r\nsubscriptions and management groups. Then they can edit subscription policies.\r\nAll other users can only read the current policy setting.\r\nSubscriptions transferred into or out of a directory must remain associated with a Billing Tenant to ensure\r\nbilling occurs correctly.\r\nAvailable subscription policy settings\r\nUse the following policy settings to control the movement of Azure subscriptions from and into directories.\r\nSubscriptions leaving a Microsoft Entra ID directory\r\nThe policy allows or stops users from moving subscriptions out of the current directory. Subscription owners can\r\nchange the directory of an Azure subscription or use transfer features available on the Azure portal and APIs to\r\nanother directory where they're a member. Global administrators can allow or disallow directory users from\r\nchanging the directory or transfer of subscriptions.\r\nSet this policy to Permit no one if you do not want subscriptions to be transferred out of your directory.\r\nThis policy applies to all authorized subscriptions users including authorized guest users of your directory.\r\nSet this policy to Allow Everyone if you want all authorized users including authorized guest users to be\r\nable to transfer subscriptions out of your directory.\r\nSubscriptions entering a Microsoft Entra ID directory\r\nThe policy allows or stops users from other directories, who have access in the current directory, to move\r\nsubscriptions into the current directory. Subscription owners can change the directory of an Azure subscription or\r\ntransfer them to another directory where they're a member. Global administrators can allow or disallow directory\r\nusers from transferring these subscriptions.\r\nhttps://learn.microsoft.com/en-us/azure/cost-management-billing/manage/manage-azure-subscription-policy\r\nPage 1 of 4\n\nSet this policy to Permit no one if you do not want subscriptions to be transferred into your directory. This\r\npolicy applies to all authorized users, including authorized guest users of your directory.\r\nSet this policy to Allow Everyone if you want all authorized users, including authorized guest users in\r\nyour directory to be able to transfer subscriptions into your directory.\r\nExempted Users\r\nFor governance reasons, global administrators can block all subscription directory moves - in to or out of the\r\ncurrent directory. However they might want to allow specific users to do both operations. For both situations, they\r\ncan configure a list of exempted users that allows these users to bypass all the policy settings that apply to\r\neveryone else.\r\nImportant note\r\nAuthorized users (including guest users) in your directory can create Azure subscriptions in another directory\r\nwhere they have billing permissions and then transfer those subscriptions into your Entra ID directory. If you don't\r\nwant to allow this, you should set one or both of the following policies:\r\nSubscriptions leaving Entra ID directory should be set to Permit no one.\r\nSubscriptions entering Entra ID directory should be set to Permit no one.\r\nSetting subscription policy\r\n1. Sign in to the Azure portal.\r\n2. Navigate to Subscriptions. Manage Policies is shown on the command bar.\r\n3. Select Manage Policies to view details about the current subscription policies set for the directory. A\r\nglobal administrator with elevated permissions can make edits to the settings including adding or removing\r\nhttps://learn.microsoft.com/en-us/azure/cost-management-billing/manage/manage-azure-subscription-policy\r\nPage 2 of 4\n\nexempted users.\r\n4. Select Save changes at the bottom to save changes. The changes are effective immediately.\r\nRead subscription policy\r\nNon-global administrators can still navigate to the subscription policy area to view the directory's policy settings.\r\nThey can't make any edits. They can't see the list of exempted users for privacy reasons. They can view their\r\nglobal administrators to submit requests for policy changes, as long as the directory settings allow them to.\r\nNext steps\r\nhttps://learn.microsoft.com/en-us/azure/cost-management-billing/manage/manage-azure-subscription-policy\r\nPage 3 of 4\n\nRead the Cost Management + Billing documentation\r\nSource: https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/manage-azure-subscription-policy\r\nhttps://learn.microsoft.com/en-us/azure/cost-management-billing/manage/manage-azure-subscription-policy\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/manage-azure-subscription-policy"
	],
	"report_names": [
		"manage-azure-subscription-policy"
	],
	"threat_actors": [],
	"ts_created_at": 1775434182,
	"ts_updated_at": 1775791316,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7b33d38f66a1c46c376863c4861736de65cd5695.pdf",
		"text": "https://archive.orkl.eu/7b33d38f66a1c46c376863c4861736de65cd5695.txt",
		"img": "https://archive.orkl.eu/7b33d38f66a1c46c376863c4861736de65cd5695.jpg"
	}
}