1.14 Ensure That 'Users Can Register Applications' Is Set to 'No'

Information

Require administrators or appropriately delegated users to register third-party applications.

Rationale:

It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Azure Active Directory data. Certain users like developers or other high-request users may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.

Impact:

Enforcing this setting will create additional requests for approval that will need to be addressed by an administrator. If permissions are delegated, a user may approve a malevolent third party application, potentially giving it access to your data.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From Azure Portal

From Azure Home select the Portal Menu

Select Azure Active Directory

Then Users

Select User settings, set Users can register applications to No

Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.
From PowerShell

Connect-MsolService
Set-MsolCompanyInformation -UsersPermissionToCreateLOBAppsEnabled $False

Default Value:

By default, Users can register applications is set to 'Yes'.

See Also

https://workbench.cisecurity.org/files/4052

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT

References: 800-53|AC-2(1), 800-53|AC-3, 800-53|CM-7(2), 800-53|CM-8(3), 800-53|CM-10, 800-53|CM-11, CSCv7|2.6

Plugin: microsoft_azure

Control ID: 9a36b12a0725ddd22ce212c87d89d238687ec19e76d83acf72d8fdcaa52627fc