lacework-global-507
Set 'Users can add gallery apps to My Apps' to 'No' (Manual)
Profile Applicability
• Level 1
Description
Require administrators to provide consent for the apps before use.
Rationale
Unless Azure Active Directory is running as an identity provider for third-party applications, do not allow users to use their identity outside of your cloud environment. User profiles contain private information such as phone numbers and email addresses which could then be sold off to other third parties without requiring any further consent from the user.
Impact
Can cause additional requests to administrators that need to be fulfilled quite often.
Audit
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Azure Active Directory
- Then
Users
- Select
User settings
- Then
Manage how end users launch and view their applications
, and ensure thatUsers can add gallery apps to My Apps
is set toNo
Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct security assessment for this recommendation.
Remediation
From Azure Portal
Please note that at this point in time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.
- From Azure Home select the Portal Menu.
- Select
Azure Active Directory
. - Select
Users
. - Select
User settings
. - Select
Manage how end users launch and view their applications
. - Set
Users can add gallery apps to My Apps
toNo
.
References
https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/
https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems