Azure - Blocking new subscriptions (Trial, Pay as you go, etc)

Recently I started building out some Azure infrastructure.  Few months in I noticed a new Azure subscription that I didn't create.  After some digging I found it was a "free trial" that one of the guys was using the learn on.  GREAT, I absolutely loved every part of this... except that it was under the company Azure tenant.  

I found more and more that when I looked at various blades I would see references to his resource groups, subscription, billing profile, etc.  I didn't like seeing objects that didn't belong to the company.   This is for a single "trial".  Now imagine this as we grow and more users do "free trials".  

I started looking at options to block new subscriptions by end users and was surprised to find that you couldn't directly!  I found plenty of references to "just use RBAC" or "users can't, must be owner", etc.  After more digging, I found that this is partially true, but doesn't cover "Pay as you go", "Azure for students", "Free Trial" options.  

These 3 options cannot currently be blocked!

But just because you can't block a subscription from being made, doesn't mean you can't control the resources created under it, or rather block them.

That is where Daraw Techie comes in!  Allow the subscription (because you have to), but block what can be done with it.

Azure Policy to Deny Creation of All Resources – DaRaw Techie

This guy did a great job of coming up with a solution and documenting it.  My goal here is to run through the steps briefly, and provide some copy / paste options ;)

1. Go to Management Groups in Azure
2. Create a new Management Group under the "Tenant Root Group"
1. I called mine "Non-Company Resources"
3. Click on Settings
1. Change the default manage group for subscriptions to "Non-CompanyResources"
2. Turn on "require write permissions for creating new management groups"
3. 
   
   
   
   
4. Click back to "overview"
4. Under the Tenant Root Group (click on it under Management Groups"
1. Expand Governance and click on Policy
2. Expand Authoring and click on Definitions
   
3. Search for "Not allowed"
4. Duplicate the definition
5. Change the definition location to your new Management Group
6. Change name to "Deny all resources"
7. Remove all in the Policy Rule and paste in the following to the Policy Rule

8. {
     "mode": "All",
     "policyRule": {
       "if": {
         "field": "type",
         "like": "Microsoft.*"
       },
       "then": {
         "effect": "deny"
       }
     },
     "parameters": {}
   }
   
   

9. Create
10. Now, go back to your Management Groups, and click into the New management Group.
11. Expand Governance -> Policy
1. you'll land on the Compliance tab
2. Assign Policy
3. Make sure scope is set to the "Non-CompanyResources".  It should default here if you selected it in the Management Group.
4. For the Policy Definition, search for "Deny All" and select your new definition.
5. Add
6. Review and Create, then Create
7. After a minute and a refresh you should see it assigned.
8. 
   
   
   
   
12. Now we can move subscriptions to the new Management Group
1. 
   
   
   
   
13. Testing - Logged into the account with the Subscription I moved I tried to create a new Resource Group
1. 
   
   

The prevention of Subscription creation may not be possible, but we can definitely stop anything beyond this.

I'm all for the team using the free trial for learning and getting certified, but it truly needs to be under its own tenant and to keep production clean.

In our case we're looking at creating a minimal "training" or "dev" tenant that they can put these trials under instead if desired.  Or the alternative, they can make their own.