Control: 2.14 Ensure That 'Users Can Register Applications' Is Set to 'No'
Description
Require administrators or appropriately delegated users to register third-party applications.
It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Microsoft Entra ID data. Certain users like developers or other high-request users may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Microsoft Entra ID
. - Under
Manage
, selectUsers
. - Under
Manage
, selectUser settings
. - Set
Users can register applications
toNo
. - Click
Save
.
From PowerShell
$param = @{ AllowedToCreateApps = "$false" }Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $param
Default Value
By default, Users can register applications
is set to "Yes".
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v300_2_14
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v300_2_14 --share
SQL
This control uses a named query:
with distinct_tenant as ( select distinct tenant_id, subscription_id, _ctx from azure_tenant)select a.id as resource, case when a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' then 'ok' else 'alarm' end as status, case when a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' then a.display_name || ' does not allow user to register applications.' else a.display_name || ' allows user to register applications.' end as reason, t.tenant_id from distinct_tenant as t, azuread_authorization_policy as a;