Manage Azure subscription policies

This article helps you configure Azure subscription policies for subscription operations to control the movement of Azure subscriptions from and into directories.

Prerequisites

Available subscription policy settings

Use the following policy settings to control the movement of Azure subscriptions from and into directories.

Subscriptions leaving AAD directory

The policy allows or stops users from moving subscriptions out of the current directory. Subscription owners can change the directory of an Azure subscription to another one where they're a member. It poses governance challenges, so global administrators can allow or disallow directory users from changing the directory.

Subscriptions entering AAD directory

The policy allows or stops users from other directories, who have access in the current directory, to move subscriptions into the current directory. Subscription owners can change the directory of an Azure subscription to another one where they're a member. It poses governance challenges, so global administrators can allow or disallow directory users from changing the directory.

Exempted Users

For governance reasons, global administrators can block all subscription directory moves - in to our out of the current directory. However they might want to allow specific users to do either operations. For either situation, they can configure a list of exempted users that allows the users to bypass the policy setting that applies to everyone else.

Setting subscription policy

  1. Sign in to the Azure portal.
  2. Navigate to Subscriptions. Manage Policies is shown on the command bar.
    Screenshot showing Manage Polices in Subscriptions.
  3. Select Manage Policies to view details about the current subscription policies set for the directory. A global administrator with elevated permissions can make edits to the settings including adding or removing exempted users.
    Screenshot showing specific policy settings and exempted users.
  4. Select Save changes at the bottom to save changes. The changes are effective immediately.

Read subscription policy

Non-global administrators can still navigate to the subscription policy area to view the directory's policy settings. They can't make any edits. They can't see the list of exempted users for privacy reasons. They can view their global administrators to submit requests for policy changes, as long as the directory settings allow them to.

Screenshot showing the Manage policies in Subscriptions as a reader.

Next steps