Prowler HUB

Ensure That 'Users Can Register Applications' Is Set to 'No'

entra_policy_ensure_default_user_cannot_create_apps

Severityhigh

Require administrators or appropriately delegated users to register third-party applications.

Risk

It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Azure Active Directory data. Certain users like developers or other high-request users may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.

Run this check with Prowler CLI

prowler azure --checks entra_policy_ensure_default_user_cannot_create_apps

Run in Prowler Cloud

Remediation

Other

https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/ActiveDirectory/users-can-register-applications.html

WUI

1. From Azure Home select the Portal Menu 2. Select Azure Active Directory 3. Select Users 4. Select User settings 5. Ensure that Users can register applications is set to No

References:

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-app-roles#restrict-who-can-create-applications

Source Code

References

https://learn.microsoft.com/en-us/entra/identity-platform/how-applications-are-added#who-has-permission-to-add-applications-to-my-azure-ad-instance

Resource Type

#microsoft.graph.authorizationPolicy

Check MetadataEdit

Check CodeEdit