Limit common users to create Azure AD
In Azure, a user who has been granted to service-admin or co-admin with specified subscription can create Azure AD without notificating others. Even the Enterprise Account didn’t know this. We think this operation is out of control, which can leads to some security problem. For example:
Jason is the Enterprise Account of Company A, he created a directory named A.com. Then he identified himself as a service-admin, then he created a new common user Test in this directory, in order to make the user Test to access the Azure Services, Jason identified the Test as a co-admin with his subscription. Then the common user test login the portal, and now he can create another new Azure AD directory.
The Jason thinks that this operation is out of control, he can’t know this operation and also can’t see it if the user Test didn’t add Jason to the user list.