Ensure that "Users can add gallery apps to their Access Panel" setting is set to "No" within your Microsoft Entra ID user settings so that the administrators can evaluate and integrate first these applications in order for users to see them on their access panels.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Azure Access Panel is a web-based portal that enables Microsoft Entra ID users to view and start cloud-based applications that the Microsoft Entra ID administrator has granted them access to. When "Users can add gallery apps to their Access Panel" setting is enabled, the Microsoft Entra ID users are allowed to add any application that supports password Single Sign-On (SSO) to appear on their Access Panel, without an administrator needing to pre-integrate that application, thus bypassing the evaluation and integration process recommended for each gallery app.
Audit
To determine if Microsoft Entra ID users are allowed to add cloud applications to the Access Panel, perform the following actions:
Note: Retrieving "Users can add gallery apps to their Access Panel" setting status using Microsoft Graph API or Azure CLI is not currently supported.Remediation / Resolution
By setting "Users can add gallery apps to their Access Panel" to "No", the Azure administrators can evaluate and provision the cloud-based applications for the Microsoft Entra ID users resulting in the applications appearing on the users Access Panel. To disable the required setting, perform the following actions:
Note: Restricting Microsoft Entra ID user's ability to add gallery applications to its own Access Panel using Microsoft Graph API or Azure CLI is not currently supported.References
- Azure Official Documentation
- Troubleshoot application sign-in
- CIS Microsoft Azure Foundations