Control: 1.14 Ensure That 'Users Can Register Applications' Is Set to 'No'

Description

Require administrators or appropriately delegated users to register third-party applications.

It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Azure Active Directory data. Certain users like developers or other high-request users may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.

Remediation

From Azure Portal

From Azure Home select the Portal Menu.
Select Azure Active Directory.
Select Users.
Select User settings.
Set Users can register applications to No.

From Powershell

Connect-MsolService
Set-MsolCompanyInformation -UsersPermissionToCreateLOBAppsEnabled $False

Default Value

By default, Users can register applications is set to "Yes".

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v200_1_14

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v200_1_14 --share

SQL

This control uses a named query:

with distinct_tenant as (
  select
    distinct tenant_id,
    subscription_id,
    _ctx
  from
    azure_tenant
)
select
  a.id as resource,
  case
    when a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' then 'ok'
    else 'alarm'
  end as status,
  case
    when a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' then a.display_name || ' does not allow user to register applications.'
    else a.display_name || ' allows user to register applications.'
  end as reason,
  t.tenant_id
  
from
  distinct_tenant as t,
  azuread_authorization_policy as a;