Ensure that "Users can register applications" feature is disabled within your Azure Active Directory (AD) settings so that only AD administrators can register third-party applications after these are reviewed and evaluated from the security standpoint.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
Security To adhere to cloud security best practices, it is strongly recommended to allow only users with administrator roles to register custom-developed applications using Azure Active Directory. This ensures that each application goes through a rigorous security review before exposing Active Directory data to it.
Audit
To determine if all Active Directory (AD) users are allowed to register third-party applications, perform the following actions:
Note: Getting "Users can register applications" AD setting status using Microsoft Graph API or Azure CLI is not currently supported.Remediation / Resolution
By setting "Users can register applications" to "No", the Azure administrators can review the custom-developed applications before these are registered and used within your Active Directory account. To disable the required setting, perform the following actions:
Note: Restricting AD users' ability to register applications using Microsoft Graph API or Azure CLI is not currently supported.References
- Azure Official Documentation
- Administrator role permissions in Azure Active Directory
- CIS Microsoft Azure Foundations
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Restrict Application Registration for Non-Privileged Users
Risk level: High