Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
6Dashboards
126Benchmarks
36Queries
2Variables
GitHub

Control: 2.1 Ensure third party integrated applications are not allowed

Description

Do not allow third party integrated applications to connect to your services.

You should not allow third party integrated applications to connect to your services unless there is a very clear value and you have robust security controls in place. While there are legitimate uses, attackers can grant access from breached accounts to third party applications to exfiltrate data from your tenancy without having to maintain the breached account.

Remediation

To prohibit third party integrated applications, use the Microsoft 365 Admin Center:

  1. Select Admin Centers and Azure Active Directory.
  2. Select Users from the Azure navigation pane.
  3. Select Users settings.
  4. Set App registrations is set to No.
  5. Click Save.

Default Value: Yes

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v150_2_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v150_2_1 --share

SQL

This control uses a named query:

select
  tenant_id || '/' || id as resource,
  case
    when not (default_user_role_permissions -> 'allowedToCreateApps')::bool then 'ok'
    else 'alarm'
  end as status,
  case
    when not (default_user_role_permissions -> 'allowedToCreateApps')::bool then tenant_id || ' has third party integrated applications not allowed.'
    else tenant_id || ' has third party integrated applications allowed.'
  end as reason
  , tenant_id as tenant_id
from
  azuread_authorization_policy;

Tags

category = Compliance
cis = true
cis_item_id = 2.1
cis_level = 2
cis_section_id = 2
cis_type = manual
cis_version = v1.5.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory