CISA.MS.AAD.5.1 - Only administrators SHALL be allowed to register applications.
Overviewā
Only administrators SHALL be allowed to register applications.
Rationale: Application access for the tenant presents a heightened security risk compared to interactive user access because applications are typically not subject to critical security protections, such as MFA policies. Reduce risk of unauthorized users installing malicious applications into the tenant by ensuring that only specific privileged users can register applications.
Remediation action:ā
- In Entra, under Identity and Users, select User settings.
- For Users can register applications, select No.
- Click Save.
Related linksā
- Entra admin center - User settings
- CISA Application Registration & Consent - MS.AAD.5.1v1
- CISA ScubaGear Rego Reference
Test Metadataā
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.5.1 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID Free |
| PowerShell test | Test-MtCisaAppRegistration |
| Tags | CISA, CISA.MS.AAD.5.1, Entra ID Free, MS.AAD, MS.AAD.5.1 |
Sourceā
- Pester test:
tests/cisa/entra/Test-MtCisaAppRegistration.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaAppRegistration.ps1