How to Fix: Restrict User App Registration
Step-by-step guide to implement restrict user app registration in your Microsoft 365 environment.
Free baseline scan · No credit card · 5 minute setup
15-20 minutes
Estimated Time
4
Steps
medium
Severity
Recommended Secure
Baseline Level
Why This Matters
When any user can register applications, attackers and unmanaged users can create app registrations to request OAuth permissions or establish persistence. Restricting registration to administrators keeps the application attack surface governed.
Prerequisites
- 1Global Administrator or appropriate admin role in Microsoft Entra ID
- 2Access to Microsoft Entra admin center (entra.microsoft.com)
Expected Configuration
- Non-admin users cannot register applications
- App registration is restricted to administrators
- authorizationPolicy.defaultUserRolePermissions.allowedToCreateApps is false
Remediation Steps
Audit Current Applications
Review the applications in your Entra ID tenant.
- •Navigate to Microsoft Entra admin center
- •Go to Applications > Enterprise applications
- •Review app registrations and permissions
Identify Required Changes
Determine which applications need modification.
- •Compare against expected configuration
- •Identify risky or non-compliant apps
- •Plan remediation approach
Apply Remediation
Make the necessary changes to application configurations.
- •Update consent settings as needed
- •Modify application permissions
- •Configure app governance policies
Verify Compliance
Confirm applications meet security requirements.
- •Run TrueConfig scan
- •Review any remaining findings
- •Document changes made
Related Resources
Automate Your Security Configuration
TrueConfig continuously monitors your Microsoft 365 environment and can automatically fix configuration drift. Start your free trial today.
Start Free Trial