Provide Access Controls and logging for Azure Subscription creation under tenant domain
Currently any user under the tenant domain can set up a pay as you go Azure Subscription. Furthermore, when they set it up, an admin has to add themselves for access to the subscription logging. Finally, adding new subscription logs to Azure Log Integrator requires a new OAUTH/SAML dance.
We need a way to enforce access controls so that users can't perform these actions unless they are given the ability to do so.
If we won't get access controls, we need the ability to get notified that new subscriptions are being created within our SIEM (using Az Log Integrator). Furthermore, new subscriptions to Az Log Integrator should 'just work' and appear automatically for the token used by Az Log Integrator, thereby obviating the need for a new SAML dance every time a new subscription is available.