I'm currently taking a deeper look into our organization's security protocols related to Microsoft Entra ID, especially regarding who gets the ability to register applications in our tenant. Various frameworks, including CIS and Microsoft, suggest that we should only allow administrators to register applications. This would help ensure that each app goes through a thorough security evaluation before it can access sensitive information, thus minimizing risks from shadow IT and unauthorized applications. I'm curious to know how other organizations approach this:
- Do you limit application registration to admins exclusively, or do you delegate some of that power to non-admin users?
Any insights on whether this is a significant issue would be greatly appreciated!
3 Answers
We prefer to strike a balance. While we only allow admins to create apps, we understand the need for some flexibility. So, we have a system in place for self-service requests with a lightweight approval process to keep things moving smoothly without compromising security.
In our setting, the option for users to register applications is disabled. Application registration is strictly for those with specific admin roles. If needed, we create custom roles for certain users to manage registration without opening the floodgates.
From what I see, it's crucial to restrict app registration to just admins. If non-admins are allowed to register apps, it can lead to serious security issues. Flexibility might sound good, but it often creates chaos. It's better to lock things down and prevent potential problems.
That makes sense! Having a process like that can help maintain security while still enabling valid usage.