Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Users Can Add Gallery Apps To Their Access Panel

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ActiveDirectory-010

Ensure that "Users can add gallery apps to their Access Panel" setting is set to "No" within your Microsoft Entra ID user settings so that the administrators can evaluate and integrate first these applications in order for users to see them on their access panels.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Azure Access Panel is a web-based portal that enables Microsoft Entra ID users to view and start cloud-based applications that the Microsoft Entra ID administrator has granted them access to. When "Users can add gallery apps to their Access Panel" setting is enabled, the Microsoft Entra ID users are allowed to add any application that supports password Single Sign-On (SSO) to appear on their Access Panel, without an administrator needing to pre-integrate that application, thus bypassing the evaluation and integration process recommended for each gallery app.


Audit

To determine if Microsoft Entra ID users are allowed to add cloud applications to the Access Panel, perform the following actions:

Note: Retrieving "Users can add gallery apps to their Access Panel" setting status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Microsoft Entra ID user configuration settings.

05 On the User settings configuration page, under Enterprise applications, click Manage how end users launch and view their applications.

06 On the Enterprise applications page, check the Users can add gallery apps to their Access Panel setting configuration. If the setting is set to Yes, the Microsoft Entra ID users are allowed to add applications to their Access Panel, bypassing the Azure administrator evaluation and integration of those applications.

07 Repeat steps no. 3 – 6 for each Microsoft Entra ID that you want to examine.

Remediation / Resolution

By setting "Users can add gallery apps to their Access Panel" to "No", the Azure administrators can evaluate and provision the cloud-based applications for the Microsoft Entra ID users resulting in the applications appearing on the users Access Panel. To disable the required setting, perform the following actions:

Note: Restricting Microsoft Entra ID user's ability to add gallery applications to its own Access Panel using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Microsoft Entra ID user configuration settings.

05 On the User settings configuration page, under Enterprise applications, click Manage how end users launch and view their applications.

06 On the Enterprise applications page, select No next to Users can add gallery apps to their Access Panel setting to disable Microsoft Entra ID users' ability to add cloud-based applications to their Azure Access Panel.

07 Click Save to apply the configuration changes. If the request is successful, the following message should be displayed: "Successfully updated user settings". Once the changes are saved, only Azure administrators are allowed to add applications to the users Access Panel, having a better control over the app provisioning process.

08 Repeat steps no. 3 – 7 for each Microsoft Entra ID that you want to reconfigure to restrict users' ability to add applications to their Azure Access Panel.

References

Publication date Aug 30, 2019