Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Users Can Register Applications

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ActiveDirectory-011

Ensure that "Users can register applications" feature is disabled within your Microsoft Entra ID settings so that only Microsoft Entra ID administrators can register third-party applications after these are reviewed and evaluated from the security standpoint.

Security

To adhere to cloud security best practices, it is strongly recommended to allow only users with administrator roles to register custom-developed applications using Microsoft Entra ID. This ensures that each application goes through a rigorous security review before exposing Microsoft Entra ID data to it.

Audit

To determine if all Microsoft Entra ID users are allowed to register third-party applications, perform the following actions:

Note: Getting "Users can register applications" Microsoft Entra ID setting status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

  1. Sign in to Azure Management Console.

  2. Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

  3. In the navigation panel, select Users.

  4. Under All users, select User settings to access Microsoft Entra ID user configuration settings.

  5. On the User settings configuration page, under App registrations, check the Users can register applications setting configuration. If the verified setting is set to Yes, the Microsoft Entra ID users are allowed to register third-party applications, therefore the Microsoft Entra ID user configuration is not secure.

  6. Repeat steps no. 3 – 5 for each Microsoft Entra ID that you want to examine.

Remediation / Resolution

By setting "Users can register applications" to "No", the Azure administrators can review the custom-developed applications before these are registered and used within your Microsoft Entra ID account. To disable the required setting, perform the following actions:

Note: Restricting Microsoft Entra ID users' ability to register applications using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

  1. Sign in to Azure Management Console.

  2. Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

  3. In the navigation panel, select Users.

  4. Under All users, select User settings to access Microsoft Entra ID user configuration settings.

  5. On the User settings configuration page, under App registrations, select No next to Users can register applications setting to disable Microsoft Entra ID users' ability to register third-party applications inside the current directory.

  6. Click Save to apply the configuration changes. If the request is successful, the following message should be displayed: "Successfully updated user settings". Once the changes are saved, only Azure users with an administrator role can register custom-developed applications.

  7. Repeat steps no. 3 – 6 for each Microsoft Entra ID that you want to reconfigure to restrict users' ability to register third-party applications.

References

Publication date Aug 30, 2019

Related ActiveDirectory rules