Description:
Require administrators to register third-party applications.Ensure that "Users can register applications" is set to 'No' within your Azure Active Directory (AD) settings so that only AD administrators can register third-party applications after these are reviewed and evaluated from the security standpoint.
Rationale:
It is recommended to let administrator register custom-developed applications. This ensures that the application undergoes a security review before exposing active directory data to it.
Impact:
This might create additional requests that administrators need to fulfill quite often.
Default Value:
By default, Users can register applications is set to Yes.
Audit:
Go to Azure Active Directory
Go to Users
Go to User Settings
Check that Users can register applications is set to No. (In this scenario it is set to YES as default)
Using PowerShell
Connect-MsolService
Get-MsolCompanyInformation | Select-Object UsersPermissionToCreateLOBAppsEnabled
Command should return UsersPermissionToCreateLOBAppsEnabled with the value of False
Remediation:
Pre-Requisite:
A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.
An account with global administrator privileges.
Implementation Steps:
Go to Azure Active Directory
Go to Users
Go to User settings
Set the Users can register applications is set to No
Backout Plan:
Go to Azure Active Directory
Go to Users
Go to User settings
Ensure the Users can register applications is set to YES(how we can revoke the changes)
Note:
Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct security assessment for this recommendation.