Description:

Require administrators to register third-party applications.Ensure that "Users can register applications" is set to 'No' within your Azure Active Directory (AD) settings so that only AD administrators can register third-party applications after these are reviewed and evaluated from the security standpoint.



Rationale:

It is recommended to let administrator register custom-developed applications. This ensures that the application undergoes a security review before exposing active directory data to it.


Impact:

This might create additional requests that administrators need to fulfill quite often.


Default Value:

By default, Users can register applications is set to Yes.


Audit:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to User Settings

  4. Check that Users can register applications is set to No. (In this scenario it is set to YES as default)


Using PowerShell

Using PowerShell
Connect-MsolService
Get-MsolCompanyInformation | Select-Object UsersPermissionToCreateLOBAppsEnabled

Command should return UsersPermissionToCreateLOBAppsEnabled with the value of False



Remediation:

Pre-Requisite:

  1. A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.

  2. An account with global administrator privileges.


Implementation Steps:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to User settings

  4. Set the Users can register applications is set to No 


Backout Plan:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to User settings

  4. Ensure the Users can register applications is set to YES(how we can revoke the changes) 


Note:

Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct security assessment for this recommendation.


References:

  1. https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user- consent-for-applications-using-office-365-apis/

  2. https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for- Permissions-in-Azure-Active-Directory.aspx

  3. https://docs.microsoft.com/en-us/azure/active-directory/develop/active- directory-how-applications-are-added#who-has-permission-to-add-applications- to-my-azure-ad-instance