Control: Ensure that 'Users Can Register Applications' is set to 'No'
Description
Require administrators or appropriately delegated users to register third-party applications.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.iam_user_not_allowed_to_register_application
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.iam_user_not_allowed_to_register_application --share
SQL
This control uses a named query:
with distinct_tenant as ( select distinct tenant_id, subscription_id, _ctx from azure_tenant)select a.id as resource, case when a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' then 'ok' else 'alarm' end as status, case when a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' then a.display_name || ' does not allow user to register applications.' else a.display_name || ' allows user to register applications.' end as reason, t.tenant_id from distinct_tenant as t, azuread_authorization_policy as a;