|   Trend Micro Cloud One™
Open menu

Restrict Application Registration for Non-Privileged Users

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Risk level: High (should be achieved)
Rule ID: ActiveDirectory-011

Ensure that "Users can register applications" feature is disabled within your Azure Active Directory (AD) settings so that only AD administrators can register third-party applications after these are reviewed and evaluated from the security standpoint.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

To adhere to cloud security best practices, it is strongly recommended to allow only users with administrator roles to register custom-developed applications using Azure Active Directory. This ensures that each application goes through a rigorous security review before exposing Active Directory data to it.

Audit

To determine if all Active Directory (AD) users are allowed to register third-party applications, perform the following actions:

Note: Getting "Users can register applications" AD setting status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Azure Active Directory user configuration settings.

05 On the User settings configuration page, under App registrations, check the Users can register applications setting configuration. If the verified setting is set to Yes, the Active Directory users are allowed to register third-party applications, therefore the Azure AD user configuration is not secure.

06 Repeat steps no. 3 – 5 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

By setting "Users can register applications" to "No", the Azure administrators can review the custom-developed applications before these are registered and used within your Active Directory account. To disable the required setting, perform the following actions:

Note: Restricting AD users' ability to register applications using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Azure Active Directory user settings.

05 On the User settings configuration page, under App registrations, select No next to Users can register applications setting to disable Active Directory users' ability to register third-party applications inside the current directory.

06 Click Save to apply the configuration changes. If the request is successful, the following message should be displayed: "Successfully updated user settings". Once the changes are saved, only Azure users with an administrator role can register custom-developed applications.

07 Repeat steps no. 3 – 6 for each Active Directory (AD) that you want to reconfigure to restrict users' ability to register third-party applications.

References

Publication date Aug 30, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Restrict Application Registration for Non-Privileged Users

Risk level: High