Manage Azure subscription policies
This article helps you configure Azure subscription policies for subscription operations to control the movement of Azure subscriptions from and into directories.
Prerequisites
- Only directory global administrators can edit subscription policies. Before editing subscription policies, the global administrator must Elevate access to manage all Azure subscriptions and management groups. Then they can edit subscription policies.
- All other users can only read the current policy setting.
Available subscription policy settings
Use the following policy settings to control the movement of Azure subscriptions from and into directories.
Subscriptions leaving a Microsoft Entra ID directory
The policy allows or stops users from moving subscriptions out of the current directory. Subscription owners can change the directory of an Azure subscription to another one where they're a member. It poses governance challenges, so global administrators can allow or disallow directory users from changing the directory.
Subscriptions entering a Microsoft Entra ID directory
The policy allows or stops users from other directories, who have access in the current directory, to move subscriptions into the current directory. Subscription owners can change the directory of an Azure subscription to another one where they're a member. It poses governance challenges, so global administrators can allow or disallow directory users from changing the directory.
Exempted Users
For governance reasons, global administrators can block all subscription directory moves - in to or out of the current directory. However they might want to allow specific users to do either operations. For either situation, they can configure a list of exempted users that allows the users to bypass the policy setting that applies to everyone else.
Setting subscription policy
- Sign in to the Azure portal.
- Navigate to Subscriptions. Manage Policies is shown on the command bar.
- Select Manage Policies to view details about the current subscription policies set for the directory. A global administrator with elevated permissions can make edits to the settings including adding or removing exempted users.
- Select Save changes at the bottom to save changes. The changes are effective immediately.
Read subscription policy
Non-global administrators can still navigate to the subscription policy area to view the directory's policy settings. They can't make any edits. They can't see the list of exempted users for privacy reasons. They can view their global administrators to submit requests for policy changes, as long as the directory settings allow them to.
