CIS.M365.5.1.2.2 - Ensure third party integrated applications are not allowed
Overviewβ
5.1.2.2 (L2) Ensure third party integrated applications are not allowed
App registration allows users to register custom-developed applications for use within the directory.
Rationaleβ
Third-party integrated applications connection to services should be disabled unless there is a very clear value and robust security controls are in place. While there are legitimate uses, attackers can grant access from breached accounts to third party applications to exfiltrate data from your tenancy without having to maintain the breached account.
Impactβ
The implementation of this change will impact both end users and administrators. End users will not be able to integrate third-party applications that they may wish to use. Administrators are likely to receive requests from end users to grant them permission to the necessary third-party applications.
Remediation action:β
- Navigate to Microsoft 365 Entra admin center.
- Click to expand Entra ID > Users select Users settings.
- Set Users can register applications to No.
- Click Save.
PowerShellβ
- Connect to Microsoft Graph using
Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization" - Run the following commands:
$param = @{ AllowedToCreateApps = "$false" }
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $param
Related linksβ
- Microsoft 365 Entra admin center
- How and why applications are added to Microsoft Entra ID
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 173
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CIS.M365.5.1.2.2 |
| Severity | Unknown |
| Suite | CIS |
| Category | CIS E3 Level 2 |
| PowerShell test | Test-MtCisThirdPartyApplicationsDisallowed |
| Tags | CIS, CIS E3, CIS E3 Level 2, CIS E5, CIS E5 Level 2, CIS M365 v6.0.1, CIS.M365.5.1.2.2, L2, Security |
Sourceβ
- Pester test:
tests/cis/Test-MtCisThirdPartyApplicationsDisallowed.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisThirdPartyApplicationsDisallowed.ps1