Restrict User App Registration for Retail & E-Commerce

Retail & E-Commerce organizations face specific regulatory requirements including pci-dss, soc2, cis. The APP-12 control helps address these requirements by:

• Non-admin users cannot register applications
• App registration is restricted to administrators
• authorizationPolicy.defaultUserRolePermissions.allowedToCreateApps is false

When any user can register applications, attackers and unmanaged users can create app registrations to request OAuth permissions or establish persistence. Restricting registration to administrators keeps the application attack surface governed.

When implementing APP-12 in a retail & e-commerce environment, consider:

• **Regulatory requirements**: pci-dss, soc2, cis may mandate specific configurations
• **Risk tolerance**: Retail & E-Commerce organizations typically have moderate to low risk tolerance
• **Audit frequency**: Plan for regular compliance reviews
• **Documentation**: Maintain detailed records for regulatory inspections

APP-12 requires the following configuration:

• Non-admin users cannot register applications
• App registration is restricted to administrators
• authorizationPolicy.defaultUserRolePermissions.allowedToCreateApps is false

Detect-only. Fix in Entra admin center > User settings > Users can register applications = No.

Follow the steps above in your Microsoft Entra admin center to enable this control.