Version: 1.3.126 (preview)

Default Authorization Settings - Default User Role Permissions - Allowed to create Apps

Controls if non-admin users may register custom-developed applications for use within this directory.


Name	allowedToCreateApps
Control	Default Authorization Settings
Description	Manages authorization settings in Entra ID (Azure AD)
Severity	High

How to fix

Microsoft Graph PowerShell: Update-MgPolicyAuthorizationPolicy -BodyParameter @{ DefaultUserRolePermissions = @{ AllowedToCreateApps = $false }}


Recommendation	CISA SCuBA 2.6: Only Administrators SHALL Be Allowed To Register Third-Party Applications
Configuration	policies/authorizationPolicy
Setting	`defaultUserRolePermissions.allowedToCreateApps`
Recommended Value	'false'
Default Value	true
Graph API Docs	authorizationPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn
Graph Explorer	Open in Graph Explorer

Tactic	Technique	Mitigation
TA0001 - Initial Access - Initial Access TA0005 - Defense Evasion - Defense Evasion TA0006 - Credential Access - Credential Access TA0008 - Lateral Movement - Lateral Movement	T1566.002 - Phishing: Spearphishing Link T1078 - Valid Accounts T1550 - Use Alternate Authentication Material T1528 - Steal Application Access Token	M1017 - User Training M1018 - User Account Management M1024 - Restrict Registry Permissions M1047 - Audit