EIDSCA.AP10 - Default Authorization Settings - Default User Role Permissions - Allowed to create Apps.

Overview

Controls if non-admin users may register custom-developed applications for use within this directory.

CISA SCuBA 2.6: Only Administrators SHALL Be Allowed To Register Third-Party Applications

Test script

https://graph.microsoft.com/beta/policies/authorizationPolicy
.defaultUserRolePermissions.allowedToCreateApps -eq 'false'

Related links

• Open in Graph Explorer
• authorizationPolicy resource type - Microsoft Graph v1.0 | Microsoft Learn
• View in Microsoft Entra admin center

MITRE ATT&CK

Tactic	Technique	Mitigation
TA0001 - Initial Access - Initial Access TA0005 - Defense Evasion - Stealth TA0006 - Credential Access - Credential Access TA0008 - Lateral Movement - Lateral Movement	T1566.002 - Phishing: Spearphishing Link T1078 - Valid Accounts T1550 - Use Alternate Authentication Material T1528 - Steal Application Access Token	M1017 - User Training M1018 - User Account Management M1024 - Restrict Registry Permissions M1047 - Audit

Test Metadata

Field	Value
Test ID	EIDSCA.AP10
Severity	High
Suite	Entra ID SCA
Category	General
PowerShell test	Test-MtEidscaAP10
Tags	EIDSCA, EIDSCA.AP10

Source

• Pester test: tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1
• PowerShell source: powershell/internal/eidsca/Test-MtEidscaAP10.ps1