Restrict Adding Gallery Apps to Access Panel

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features

Knowledge Base Microsoft Azure Active Directory Restrict Adding Gallery Apps to Access Panel

Risk level: High (should be achieved)

Rule ID: ActiveDirectory-010

Ensure that "Users can add gallery apps to their Access Panel" setting is set to "No" within your Azure Active Directory user settings so that the administrators can evaluate and integrate first these applications in order for users to see them on their access panels.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Azure Access Panel is a web-based portal that enables Active Directory (AD) users to view and start cloud-based applications that the AD administrator has granted them access to. When "Users can add gallery apps to their Access Panel" setting is enabled, the Active Directory users are allowed to add any application that supports password Single Sign-On (SSO) to appear on their Access Panel, without an administrator needing to pre-integrate that application, thus bypassing the evaluation and integration process recommended for each gallery app.

Audit

To determine if AD users are allowed to add cloud applications to the Access Panel, perform the following actions:

Note: Retrieving "Users can add gallery apps to their Access Panel" setting status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Azure Active Directory user configuration settings.

05 On the User settings configuration page, under Enterprise applications, click Manage how end users launch and view their applications.

06 On the Enterprise applications page, check the Users can add gallery apps to their Access Panel setting configuration. If the setting is set to Yes, the Active Directory (AD) users are allowed to add applications to their Access Panel, bypassing the Azure administrator evaluation and integration of those applications.

07 Repeat steps no. 3 – 6 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

By setting "Users can add gallery apps to their Access Panel" to "No", the Azure administrators can evaluate and provision the cloud-based applications for the Active Directory users resulting in the applications appearing on the users Access Panel. To disable the required setting, perform the following actions:

Note: Restricting AD user's ability to add gallery applications to its own Access Panel using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 avigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Azure Active Directory user configuration settings.

05 On the User settings configuration page, under Enterprise applications, click Manage how end users launch and view their applications.

06 On the Enterprise applications page, select No next to Users can add gallery apps to their Access Panel setting to disable Active Directory users' ability to add cloud-based applications to their Azure Access Panel.

07 Click Save to apply the configuration changes. If the request is successful, the following message should be displayed: "Successfully updated user settings". Once the changes are saved, only Azure administrators are allowed to add applications to the users Access Panel, having a better control over the app provisioning process.

08 Repeat steps no. 3 – 7 for each Active Directory (AD) that you want to reconfigure to restrict users' ability to add applications to their Azure Access Panel.