Microsoft Entra IDOverview
Require administrators or appropriately delegated users to register third-party applications.
Rationale
It is recommended that only an administrator register custom-developed applications. This ensures the application undergoes a formal security review and approval process before exposing Microsoft Entra ID data. Certain users, like developers or other high-request users, may also be delegated permissions to prevent them from waiting on an administrative user. Your organization should review your policies and decide your needs.
Impact
Enforcing this setting will create additional requests for approval that will need to be addressed by an administrator. If permissions are delegated, a user may approve a malevolent third-party application, potentially giving it access to your data.
Default Value
By default, Users can register applications is set to "Yes".
Remediation guidance
From Azure Portal
- Open Users | User Settings.
- Set
Users can register applicationstoNo.
From Powershell
$param = @{ AllowedToCreateApps = "$false" }
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $param
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
Entra Tenants allowing users to register apps
Connectors
Covered asset types
Expected check: eq []
{
connectors(where: { directoryProperties: { usersCanRegisterApps: true } }) {
...AssetFragment
}
}
