Guides

Ensure That 'Users Can Register Applications' Is Set to 'No'

Require administrators or appropriately delegated users to register third-party applications.

Suggest Edits

Risk Level: High
Cloud Entity: AD Authorization Policy
CloudGuard Rule ID: D9.AZU.IAM.39
Covered by Spectral: No
Category: Active Directory

GSL LOGIC

ADAuthorizationPolicy should not have defaultUserRolePermissions.allowedToCreateApps=true

REMEDIATION

From Portal

  1. From Azure Home select the Portal Menu.
  2. Select Azure Active Directory.
  3. Then Users.
  4. Select User settings, set 'Users can register applications' to No.

Note: Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.

References

  1. https://docs.microsoft.com/en-us/azure/active-directory/roles/delegate-app-roles#restrict-who-can-create-applications
  2. https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added#who-has-permission-to-add-applications-to-my-azure-ad-instance
  3. https://workbench.cisecurity.org/sections/722878/recommendations/1182634

AD Authorization Policy

Represents a policy that can control Azure Active Directory authorization settings.

Compliance Frameworks

  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset

Updated over 1 year ago