Control: 1.14 Ensure That 'Users Can Register Applications' Is Set to 'No'
Description
Require administrators or appropriately delegated users to register third-party applications.
It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Azure Active Directory data. Certain users like developers or other high-request users may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Azure Active Directory. - Select
Users. - Select
User settings. - Set
Users can register applicationstoNo.
From Powershell
Connect-MsolServiceSet-MsolCompanyInformation -UsersPermissionToCreateLOBAppsEnabled $False
Default Value
By default, Users can register applications is set to "Yes".
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v200_1_14Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v200_1_14 --shareSQL
This control uses a named query:
with distinct_tenant as ( select distinct tenant_id, subscription_id, _ctx from azure_tenant)select a.id as resource, case when a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' then 'ok' else 'alarm' end as status, case when a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' then a.display_name || ' does not allow user to register applications.' else a.display_name || ' allows user to register applications.' end as reason, t.tenant_id from distinct_tenant as t, azuread_authorization_policy as a;