Control: 5.1.2.2 Ensure third party integrated applications are not allowed
Description
App registration allows users to register custom-developed applications for use within the directory.
Third-party integrated applications connection to services should be disabled unless there is a very clear value and robust security controls are in place. While there are legitimate uses, attackers can grant access from breached accounts to third party applications to exfiltrate data from your tenancy without having to maintain the breached account.
Remediation
To remediate using the UI:
- Navigate to
Microsoft Entra admin centerhttps://entra.microsoft.com/. - Click to expand
Identity>UsersselectUser settings. - Set
Users can register applicationstoNo. - Click
Save.
To remediate using PowerShell:
- Connect to Microsoft Graph using
Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization" - Run the following commands:
$param = @{ AllowedToCreateApps = "$false" }Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $param
Default Value
Yes (Users can register applications.)
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v500_5_1_2_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v500_5_1_2_2 --shareSQL
This control uses a named query:
select tenant_id || '/' || id as resource, case when not (default_user_role_permissions -> 'allowedToCreateApps')::bool then 'ok' else 'alarm' end as status, case when not (default_user_role_permissions -> 'allowedToCreateApps')::bool then tenant_id || ' has third party integrated applications not allowed.' else tenant_id || ' has third party integrated applications allowed.' end as reason , tenant_id as tenant_idfrom azuread_authorization_policy;