APP-12MediumRecommended Secure

Restrict User App Registration

Workload Identity & Applications control for Microsoft 365 and Entra ID

Why This Control Matters

When any user can register applications, attackers and unmanaged users can create app registrations to request OAuth permissions or establish persistence. Restricting registration to administrators keeps the application attack surface governed.

Expected State

When this control is compliant, your tenant should meet these criteria:

1Non-admin users cannot register applications
2App registration is restricted to administrators
3authorizationPolicy.defaultUserRolePermissions.allowedToCreateApps is false

Enforcement

Default Mode

Advisory

Alerts on deviations but does not make changes

Auto-Remediation

Manual Only

Detect-only. Fix in Entra admin center > User settings > Users can register applications = No.

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.