Verify that That 'Users Can Register Applications' Is Set to 'No'

Last updated: April 9, 2026

Framework Reference: 6.14 Application Registration Restrictions – Microsoft Entra ID (Level 1)

Why this matters

  • Allowing all users to register applications in Microsoft Entra ID increases the risk of unauthorized or malicious applications gaining access to directory data.

  • When users can freely register applications:

  • Third-party or custom apps may bypass formal security review

  • Excessive API permissions may be granted without oversight

  • Sensitive directory data may be exposed

  • Attackers may leverage app registrations for persistence or privilege escalation

  • Restricting application registration to administrators (or tightly delegated roles) ensures:

  • Proper security review before exposure to identity data

  • Controlled permission grants

  • Alignment with least-privilege and privileged access strategies

  • This is a foundational governance control for identity security.

What this check does

This Auto Check verifies whether non-administrative users are prevented from registering applications in Microsoft Entra ID.

Check Logic

Passes if:

  • Users can register applications is set to No, and

  • AllowedToCreateApps is set to False in the authorization policy.

Fails if:

The setting is Yes, or

  • AllowedToCreateApps returns True.

Applies to:

  • Microsoft Entra ID tenant-wide settings

  • All users within the directory

  • The check queries Microsoft Graph authorization policy settings.

How to fix it

Disable user self-service application registration.

Azure Portal

  1. From Azure Home, open the Portal Menu.

  2. Select Microsoft Entra ID.

  3. Under Manage, select Users.

  4. Under Manage, select User settings.

  5. Set Users can register applications to No.

  6. Click Save.

PowerShell (Microsoft Graph)

Verify current setting:

(Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions | Format-List AllowedToCreateApps

Remediate if needed:

$param = @{ AllowedToCreateApps = "$false" } Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $param 

Default value

By default, Users can register applications is set to Yes.

Impact

  • Increases administrative workload due to app registration approval requests.

  • May require delegation models for developer teams.

  • If delegation is poorly controlled, privileged users could still approve malicious applications.

  • Organizations should balance operational efficiency with security risk by defining a formal approval and delegation process.

Exceptions

If developers or integration teams require application registration capabilities:

  • Delegate permissions only to controlled roles.

  • Enforce documented security review procedures.

  • Monitor app registrations and permission grants regularly.

  • Implement conditional access and app governance policies.

References

  1. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-app-roles#restrict-who-can-create-applications 

  2. https://learn.microsoft.com/en-us/entra/identity-platform/how-applications-are-added#who-has-permission-to-add-applications-to-my-azure-ad-instance 

  3. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy 

  4. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-1-separate-and-limit-highly-privilegedadministrative-users 

  5. https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.signins/get-mgpolicyauthorizationpolicy?view=graph-powershell-1.0