Restrict User settings

Restrict registration of new Azure AD applications

It is important to control registration of Azure AD applications.

Azure Portal > Azure Active Directory > User Settings

Restrict users' ability to consent to Apps.

It is important to restrict users' ability to consent for applications to access organization data With the below setting, we allow user consent only for applications that have been published by a verified publisher.

Set-AzureADMSAuthorizationPolicy -DefaultUserRolePermissions @{"PermissionGrantPoliciesAssigned" = @("managePermissionGrantsForSelf.microsoft-user-default-low") }

When an application is marked as publisher verified, it means that the publisher has verified their identity using a Microsoft Partner Network account that has completed the verification process and has associated this MPN account with their application registration.
Source : Publisher verification overview