Control: 5.14 Ensure that 'Users can register applications' is set to 'No'
Description
Require administrators or appropriately delegated users to register third-party applications.
It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Microsoft Entra ID data. Certain users like developers or other high-request users may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.
Remediation
Remediate from Azure Portal
- From Azure Home select the Portal Menu
- Select
Microsoft Entra ID. - Under
Manage, selectUsers. - Under
Manage, selectUser settings. - Set
Users can register applicationstoNo. - Click
Save.
Remediate from PowerShell:
$param = @{ AllowedToCreateApps = "$false" }Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $param
Default Value
By default, Users can register applications is set to "Yes".
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v500_5_14Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v500_5_14 --shareSQL
This control uses a named query:
with distinct_tenant as ( select distinct tenant_id, subscription_id, _ctx from azure_tenant)select a.id as resource, case when a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' then 'ok' else 'alarm' end as status, case when a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' then a.display_name || ' does not allow user to register applications.' else a.display_name || ' allows user to register applications.' end as reason, t.tenant_id from distinct_tenant as t, azuread_authorization_policy as a;