Ability of Standard Accounts to Register Applications

Any Entra user can register applications, and then manage them, in the tenant by default. While this default setting offers convenience and doesn't present an immediate security vulnerability, it poses potential risks. Allowing open app registration can lead to the use of unsanctioned or high-risk applications ("shadow IT") and enables the potential for malicious actors to register fake applications for phishing purposes. Additionally, some organizations may wish to restrict app registration to prevent unnecessary sprawl. Furthermore, the user who creates an application is automatically designated as its owner, retaining management permissions that may not align with organizational preferences.

The relevant setting is labeled Users can register applications under Default user role permissions in the User settings menu.

Many best practices and security baselines recommend restricting who can create applications. This approach includes configuring proper delegation so that designated administrators obtain the ability to register applications using various documented methods.

Be mindful of the potential added workload on your helpdesk, developers, or Entra administrators, as they will need to handle additional application registration requests once regular users lose their self-service capability. There are also other documented disadvantages to consider with this restriction.

Name: Ability of Standard Accounts to Register Applications

Codename: ABILITY-OF-STANDARD-ACCOUNTS-TO-REGISTER-APPLICATIONS

Severity: Low

Type: Microsoft Entra ID Indicator of Exposure