APP-12: Restrict User App Registration
Frequently asked questions about implementing and managing the APP-12 security control in Microsoft 365 and Entra ID.
Free baseline scan · No credit card · 5 minute setup
QWhat is APP-12 (Restrict User App Registration)?▼
APP-12 is a security control that when any user can register applications, attackers and unmanaged users can create app registrations to request oauth permissions or establish persistence. restricting registration to administrators keeps the application attack surface governed. It requires that non-admin users cannot register applications and app registration is restricted to administrators, authorizationpolicy.defaultuserrolepermissions.allowedtocreateapps is false.
QWhy is Restrict User App Registration important for Microsoft 365 security?▼
When any user can register applications, attackers and unmanaged users can create app registrations to request OAuth permissions or establish persistence. Restricting registration to administrators keeps the application attack surface governed.
QHow do I implement APP-12 in my tenant?▼
APP-12 requires manual implementation. Detect-only. Fix in Entra admin center > User settings > Users can register applications = No.
QWhat license do I need for APP-12?▼
This control can be implemented with any Microsoft 365 subscription, including free Azure AD.
QWhich security baseline includes APP-12?▼
APP-12 is included in the TrueConfig Recommended Secure baseline (Level 1). This is the foundation level suitable for most organizations.
5
Questions
1
Related Controls
—
Categorized
Related Resources
Still have questions?
Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.
Start Free Trial