Skip to main content

Default Authorization Settings - Default User Role Permissions - Allowed to create Apps

Controls if non-admin users may register custom-developed applications for use within this directory.

NameallowedToCreateApps
ControlDefault Authorization Settings
DescriptionManages authorization settings in Azure AD
SeverityHigh

How to fix

Details of configuration item

RecommendationCISA SCuBA 2.6: Only Administrators SHALL Be Allowed To Register Third-Party Applications
Configurationpolicies/authorizationPolicy
SettingdefaultUserRolePermissions.allowedToCreateApps
Recommended Value'false'
Default Valuetrue
Graph API DocsauthorizationPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn
Graph ExplorerOpen in Graph Explorer

MITRE ATT&CK

TacticTechniqueMitigation
TA0001 - Initial Access - Initial Access
TA0005 - Defense Evasion - Defense Evasion
TA0006 - Credential Access - Credential Access
TA0008 - Lateral Movement - Lateral Movement
T1566.002 - Phishing: Spearphishing Link
T1078 - Valid Accounts
T1550 - Use Alternate Authentication Material
T1528 - Steal Application Access Token
M1017 - User Training
M1018 - User Account Management
M1024 - Restrict Registry Permissions
M1047 - Audit