lacework-global-508
Set 'Users Can Register Applications' to 'No' (Manual)
Profile Applicability
• Level 1
Description
Require administrators or appropriately delegated users to register third-party applications.
Rationale
It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Azure Active Directory data. Certain users like developers or other high-request users may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.
Impact
Enforcing this setting will create additional requests for approval that will need to be addressed by an administrator. If permissions are delegated, a user may approve a malevolent third party application, potentially giving it access to your data.
Audit
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Azure Active Directory
- Then
Users
- Go to
User settings
, ensure thatUsers can register applications
is set toNo
Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security assessment for this recommendation.
From Azure PowerShell
Connect-MsolService
Get-MsolCompanyInformation | Select-Object UsersPermissionToCreateLOBAppsEnabled
Command should return UsersPermissionToCreateLOBAppsEnabled
with the value of False
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Azure Active Directory
. - Select
Users
. - Select
User settings
. - Set
Users can register applications
toNo
.
Please note that at this point in time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.
From Azure PowerShell
Connect-MsolService
Set-MsolCompanyInformation -UsersPermissionToCreateLOBAppsEnabled $False
References
https://docs.microsoft.com/en-us/azure/active-directory/roles/delegate-app-roles#restrict-who-can-create-applications
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added#who-has-permission-to-add-applications-to-my-azure-ad-instance
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems
https://blogs.msdn.microsoft.com/exchangedev/2014/06/05/managing-user-consent-for-applications-using-office-365-apis/
https://nicksnettravels.builttoroam.com/post/2017/01/24/Admin-Consent-for-Permissions-in-Azure-Active-Directory.aspx
https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolcompanyinformation?view=azureadps-1.0
https://docs.microsoft.com/en-us/powershell/module/msonline/set-msolcompanysettings?view=azureadps-1.0