standard
turbot/azure_cis
Get Involved
Version
Pipeline: 2.14 Ensure That 'Users Can Register Applications' Is Set to 'No'
Description
Require administrators or appropriately delegated users to register third-party applications.
It is recommended to only allow an administrator to register custom-developed applications. This ensures that the application undergoes a formal security review and approval process prior to exposing Microsoft Entra ID data. Certain users like developers or other high-request users may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Microsoft Entra ID
. - Under
Manage
, selectUsers
. - Under
Manage
, selectUser settings
. - Set
Users can register applications
toNo
. - Click
Save
.
From PowerShell
$param = @{ AllowedToCreateApps = "$false" }Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $param
Default Value
By default, Users can register applications
is set to "Yes".
Run the pipeline
To run this pipeline from your terminal:
flowpipe pipeline run azure_cis.pipeline.cis_v300_2_14
Use this pipeline
To call this pipeline from your pipeline, use a step:
step "pipeline" "step_name" { pipeline = azure_cis.pipeline.cis_v300_2_14 }
Params
Name | Type | Required | Description | Default |
---|---|---|---|---|
database | connection.steampipe | Yes | Database connection string. | connection.steampipe.default |
notifier | notifier | Yes | The name of the notifier to use for sending notification messages. | notifier.default |
notification_level | string | Yes | The verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'. | info |
Outputs
This pipeline has no outputs.
Tags
folder = CIS v3.0.0/2 Identity