Skip to main content

Default Authorization Settings - Default User Role Permissions - Allowed to create Apps

Controls if non-admin users may register custom-developed applications for use within this directory.


Name	allowedToCreateApps
Control	Default Authorization Settings
Description	Manages authorization settings in Azure AD
Severity	High

How to fix

Details of configuration item


Recommendation	CISA SCuBA 2.6: Only Administrators SHALL Be Allowed To Register Third-Party Applications
Configuration	policies/authorizationPolicy
Setting	`defaultUserRolePermissions.allowedToCreateApps`
Recommended Value	'false'
Default Value	true
Graph API Docs	authorizationPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn
Graph Explorer	Open in Graph Explorer

MITRE ATT&CK

Tactic	Technique	Mitigation
TA0001 - Initial Access - Initial Access TA0005 - Defense Evasion - Defense Evasion TA0006 - Credential Access - Credential Access TA0008 - Lateral Movement - Lateral Movement	T1566.002 - Phishing: Spearphishing Link T1078 - Valid Accounts T1550 - Use Alternate Authentication Material T1528 - Steal Application Access Token	M1017 - User Training M1018 - User Account Management M1024 - Restrict Registry Permissions M1047 - Audit

How to fix
- Details of configuration item
MITRE ATT&CK