Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Users Can Register Applications

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ActiveDirectory-011

Ensure that "Users can register applications" feature is disabled within your Microsoft Entra ID settings so that only Microsoft Entra ID administrators can register third-party applications after these are reviewed and evaluated from the security standpoint.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

To adhere to cloud security best practices, it is strongly recommended to allow only users with administrator roles to register custom-developed applications using Microsoft Entra ID. This ensures that each application goes through a rigorous security review before exposing Microsoft Entra ID data to it.

Audit

To determine if all Microsoft Entra ID users are allowed to register third-party applications, perform the following actions:

Note: Getting "Users can register applications" Microsoft Entra ID setting status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Microsoft Entra ID user configuration settings.

05 On the User settings configuration page, under App registrations, check the Users can register applications setting configuration. If the verified setting is set to Yes, the Microsoft Entra ID users are allowed to register third-party applications, therefore the Microsoft Entra ID user configuration is not secure.

06 Repeat steps no. 3 – 5 for each Microsoft Entra ID that you want to examine.

Remediation / Resolution

By setting "Users can register applications" to "No", the Azure administrators can review the custom-developed applications before these are registered and used within your Microsoft Entra ID account. To disable the required setting, perform the following actions:

Note: Restricting Microsoft Entra ID users' ability to register applications using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Microsoft Entra ID user configuration settings.

05 On the User settings configuration page, under App registrations, select No next to Users can register applications setting to disable Microsoft Entra ID users' ability to register third-party applications inside the current directory.

06 Click Save to apply the configuration changes. If the request is successful, the following message should be displayed: "Successfully updated user settings". Once the changes are saved, only Azure users with an administrator role can register custom-developed applications.

07 Repeat steps no. 3 – 6 for each Microsoft Entra ID that you want to reconfigure to restrict users' ability to register third-party applications.

References

Publication date Aug 30, 2019

Related ActiveDirectory rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Users Can Register Applications

Risk Level: Medium