5.1.2.2 Ensure third party integrated applications are not allowed

Information

App registration allows users to register custom-developed applications for use within the directory.

Rationale:

Third-party integrated applications connection to services should be disabled unless there is a very clear value and robust security controls are in place. While there are legitimate uses, attackers can grant access from breached accounts to third party applications to exfiltrate data from your tenancy without having to maintain the breached account.

Impact:

Implementation of this change will impact both end users and administrators. End users will not be able to integrate third-party applications that they may wish to use. Administrators are likely to receive requests from end users to grant them permission to necessary third-party applications.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using the UI:

Navigate to Microsoft Entra admin center https://entra.microsoft.com/.

Click to expand Identity > Users select Users settings.

Set Users can register applications to No.

Click Save.

To remediate using PowerShell:

Connect to Microsoft Graph using Connect-MgGraph -Scopes 'Policy.ReadWrite.Authorization'

Run the following commands:

$param = @{ AllowedToCreateApps = '$false' }
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $param

Default Value:

Yes (Users can register applications.)

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7(5), 800-53|CM-10, CSCv7|18.4

Plugin: microsoft_azure

Control ID: e03e7c2265cdda15b5a15bbb3d8c0219be33d797b1c3f09d0b670de48cbcb73c