Ensure That 'Users Can Register Applications' Is Set to 'No'

Require administrators or appropriately delegated users to register third-party applications.

Risk Level: High
Cloud Entity: AD Authorization Policy
CloudGuard Rule ID: D9.AZU.IAM.39
Covered by Spectral: No
Category: Active Directory


ADAuthorizationPolicy should not have defaultUserRolePermissions.allowedToCreateApps=true


From Portal

  1. From Azure Home select the Portal Menu.
  2. Select Azure Active Directory.
  3. Then Users.
  4. Select User settings, set 'Users can register applications' to No.

Note: Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.


  1. https://docs.microsoft.com/en-us/azure/active-directory/roles/delegate-app-roles#restrict-who-can-create-applications
  2. https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added#who-has-permission-to-add-applications-to-my-azure-ad-instance
  3. https://workbench.cisecurity.org/sections/722878/recommendations/1182634

AD Authorization Policy

Represents a policy that can control Azure Active Directory authorization settings.

Compliance Frameworks

  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset