Description:

Ensure that Users can add gallery apps to their Access Panel" setting is set to "No” within your Azure Active Directory user settings so that the administrators can evaluate and integrate first these applications in order for users to see them on their access panels.


Rationale:

Unless Azure Active Directory is running as an identity provider for third-party applications, do not allow users to use their identity outside of your cloud environment. User profiles contain private information such as phone numbers and email addresses which could then be sold off to other third parties without requiring any further consent from the user.


Impact:

It might be an additional request that administrators need to fulfill quite often.


Default Value:

By default, Users can add gallery apps to their Access Panel is set to 'No'.


Audit:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to User settings

  4. Click on Manage how end users launch and view their applications

  5. Ensure that Users can add gallery apps to their Access Panel is set to No


Remediation:

Pre-Requisite:

  1. A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.

  2. An account with global administrator privileges.


Implementation:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to User settings

  4. Click on Manage how end users launch and view their applications

  5. Set Users can add gallery apps to their Access Panel to No

Backout Plan:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to User settings

  4. Click on Manage how end users launch and view their applications

  5. Set Users can add gallery apps to their Access Panel to Yes

Note:

Please note that at this point of time, there is no API/CLI mechanism available to programmatically 

conduct security assessment for this recommendation.

References:

  1. https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user- consent-for-applications-using-office-365-apis/

  2. https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for- Permissions-in-Azure-Active-Directory.aspx

  3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-governance-strategy#gs-1-define-asset-management-and-data-protection- strategy