Ensure that "Users can register applications" feature is disabled within your Microsoft Entra ID settings so that only Microsoft Entra ID administrators can register third-party applications after these are reviewed and evaluated from the security standpoint.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Security To adhere to cloud security best practices, it is strongly recommended to allow only users with administrator roles to register custom-developed applications using Microsoft Entra ID. This ensures that each application goes through a rigorous security review before exposing Microsoft Entra ID data to it.
Audit
To determine if all Microsoft Entra ID users are allowed to register third-party applications, perform the following actions:
Note: Getting "Users can register applications" Microsoft Entra ID setting status using Microsoft Graph API or Azure CLI is not currently supported.Remediation / Resolution
By setting "Users can register applications" to "No", the Azure administrators can review the custom-developed applications before these are registered and used within your Microsoft Entra ID account. To disable the required setting, perform the following actions:
Note: Restricting Microsoft Entra ID users' ability to register applications using Microsoft Graph API or Azure CLI is not currently supported.References
- Azure Official Documentation
- Microsoft Entra built-in roles
- CIS Microsoft Azure Foundations