Description:

The 'Users can register applications' setting in Microsoft Entra ID (formerly Azure Active Directory) determines whether users can register new applications in Azure AD. By default, any user can register their own applications, which can lead to security risks if unapproved or unmonitored applications are introduced into the directory. When this setting is configured to 'No', only users with administrative privileges (such as Global Administrators or Application Administrators) can register new applications in Azure AD.

Restricting the ability to register applications helps mitigate the risk of shadow IT, where unauthorized applications are added to the environment, potentially exposing the organization to security vulnerabilities or data breaches.

Rationale:

By setting 'Users can register applications' to 'No':

  • Enhance security by ensuring that only trusted administrators can create or register applications, reducing the potential for rogue or insecure applications being added to the environment.

  • Improve governance by limiting the ability to create and manage applications to authorized personnel, thus ensuring that applications are properly reviewed, configured, and secured.

  • Prevent unapproved applications from accessing sensitive organizational data, reducing the risk of data leakage or other security threats.

Impact:

Setting 'Users can register applications' to 'No' will:

  • Increase control over which applications are added to Azure AD, ensuring that only authorized administrators can register and manage applications.

  • Prevent users from registering applications unless they have administrative privileges, which helps secure the organization's application environment.

  • Reduce flexibility for non-admin users, as they will no longer be able to register applications themselves. However, this trade-off ensures better control over the security of the organization's applications.

Default Value:

By default, Microsoft Entra ID allows users to register applications unless this setting is manually changed to 'No'. This setting must be configured to restrict application registration.

Pre-requisites:

  • Azure subscription with Microsoft Entra ID (Azure AD) configured.

  • Global Administrator or Privileged Role Administrator permissions to modify user consent settings.

  • A process to handle application registration requests from non-admin users to administrators for approval.

Audit:

  1. Sign in to Azure portal as a Global Administrator or Privileged Role Administrator.

  2. Navigate to Microsoft Entra ID > Enterprise Applications > User settings.

  3. Ensure that 'Users can register applications' is set to 'No'.

Implementation Steps (Automated):

  1. Sign in to Azure portal:

    • Use an account with Global Administrator or Privileged Role Administrator permissions.

  2. Navigate to Microsoft Entra ID (Azure AD):

    • In the Azure portal, go to Azure Active Directory.

  3. Go to Enterprise Applications:

    • Under Manage, select Enterprise Applications.

  4. Modify User Consent Settings:

    • In the Enterprise Applications pane, select User settings.

    • Find the setting 'Users can register applications' and set it to 'No'.

  5. Save the Configuration:

    • After setting the option to 'No', click Save to apply the changes.

  6. Verify the Setting:

    • After saving, verify that non-admin users can no longer register applications in Azure AD. Perform a test by attempting to register an application as a non-admin user. The registration process should be blocked.

  7. Monitor Application Registration Requests:

    • Set up a process for managing application registration requests from users who may need to register applications, ensuring that admins review and approve these requests based on organizational policies.

  8. Test the Configuration:

    • Perform a test by attempting to register an application as a non-admin user. The action should be blocked, and the user should receive a message explaining that only admins can register applications.

  9. Communicate to Users:

    • Inform users that they will no longer be able to register applications themselves. Any requests to register applications should be directed to administrators for review and approval.

Backout Plan (Automated):

  1. Sign in to Azure portal:

    • Use an account with Global Administrator or Privileged Role Administrator permissions.

  2. Navigate to Microsoft Entra ID (Azure AD):

    • Go to Azure Active Directory > Enterprise Applications > User settings.

  3. Revert the User Registration Setting:

    • In User settings, change the 'Users can register applications' setting back to 'Yes'.

  4. Save the Configuration:

    • Click Save to apply the changes.

  5. Test the Reverted Configuration:

    • Perform a test by attempting to register an application as a non-admin user. The process should now be allowed if the setting is reverted.

  6. Monitor the Reversion:

    • Use Azure AD logs to ensure that the reverted configuration is functioning as expected and that users can now register applications.

References: