v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/microsoft365_compliance
Overview
4Dashboards
80Controls
21Queries
2Variables
GitHub

Control: 2.2 Ensure third party integrated applications are not allowed

Description

App registrations allows users to register custom-developed applications for use within the directory.

Third party integrated applications connection to services should be disabled, unless there is a very clear value and robust security controls are in place. While there are legitimate uses, attackers can grant access from breached accounts to third party applications to exfiltrate data from your tenancy without having to maintain the breached account.

Remediation

To prohibit third party integrated applications:

  1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
  2. Click to expand Azure Active Directory > Users select Users settings.
  3. Select App registrations setting highlighted to No.
  4. Click Save.

Default Value: Yes (Users can register applications.)

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v200_2_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v200_2_2 --share

SQL

This control uses a named query:

azuread_third_party_application_not_allowed

Tags

category = Compliance
cis = true
cis_item_id = 2.2
cis_level = 2
cis_section_id = 2
cis_type = manual
cis_version = v1.4.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory