Export (0) Print
Expand All

Application access enhancements for Azure AD

Published: July 8, 2013

Updated: January 23, 2014

Applies To: Azure

noteNote
For feedback, click here.

For more information about this topic, see Best Practices for Managing the Application access enhancements for Azure Active Directory.

Many organizations rely upon software as a service (SaaS) applications such as Office 365, Box and Salesforce for end user productivity.
Historically, IT staff needs to individually create and update user accounts in each SaaS application, and users have to remember a password for each SaaS application.  The application access enhancements for Azure Active Directory introduces security and access governance controls that enable IT to centrally manage users' access across SaaS applications.

Azure AD enables easy integration to many of today’s popular SaaS applications; it provides identity and access management, and delivers an access panel for users where they can discover what application access they have and single sign-on (SSO) to access their applications.

The architecture of the integration consists of the following four main building blocks:

  • Single sign-on enables users to access their SaaS applications based on their organizational account in Azure AD

  • Account sync enables user provisioning and deprovisioning into target SaaS based on changes made in Windows Server Active Directory and/or Azure AD

  • Centralized application access management in the Azure Management Portal enables single point of SaaS application access and management

  • Unified reporting and monitoring of anomalous user activity in Azure AD

Configuring single sign-on enables the users in your organization to be automatically logged into a third-party SaaS application by Azure AD. This functionality provides the end user with the convenience of remembering only a single password while increasing the organization’s security by providing users with access to only their applications

Azure AD supports two different modes for single sign-on:

  • Federation using standard protocols

  • Password-based single sign-on

Configuring Federation-based single sign-on enables the users in your organization to be automatically signed in to a third-party SaaS application by Azure AD using the user account information from Azure AD. In this scenario, when you have already been logged into Azure AD, and you want to access resources that are controlled by a third-party SaaS application, federation eliminates the need for a user to be re-authenticated. Federated SSO is available for end user browsers which support JavaScript and CSS.

Configuring password-based single sign-on enables the users in your organization to be automatically signed in to a third-party SaaS application by Azure AD using the user account information from the third-party SaaS application. When you enable this feature, Azure AD collects and securely stores the user account information and the related password.

Password-based SSO relies on a browser extension to securely retrieve the application and user specific information from Azure AD and apply it to the service. Most third-party SaaS applications that are supported by Azure AD support this feature.

For password-based SSO, the end user’s browsers can be:

  • IE 8, IE9 and IE10 on Windows 7 or later

  • Chrome on Windows 7 or later or MacOS X or later

User provisioning enables automated user provisioning and deprovisioning of accounts in third-party SaaS applications from within the Azure Management Portal, using your Windows Server Active Directory or Azure AD identity information. When a user is given permissions in Azure AD for one of these applications, an account can be automatically created (provisioned) in the target SaaS application.

When a user is deleted or their information changes in Azure AD, these changes are also reflected in the SaaS application. This means, configuring automated identity lifecycle management enables administrators to control and provide automated provisioning and deprovisioning from SaaS applications. In Azure AD, this automation of identity lifecycle management is enabled by account sync.

The application access enhancements for Azure AD provide the following two user interface (UI) components:

  • The Active Directory extension in the Azure Management Portal UI where you can go to configure your third-party applications

  • The Access Panel UI where end users can go to get single sign-on access to the applications that you manage from within the Active Directory extension

The following sections provide more details about both interfaces.

You can use the Active Directory extension in the Azure Management Portal to configure the application access enhancements for Azure AD.
As a first step, you need to select a directory from the Active Directory section in the portal:

active directory

To manage your third-party SaaS applications, you can switch into the applications view of the selected directory. This view enables administrators to:

  • Add new applications

  • Delete integrated applications

  • Manage the applications they have already integrated

Typical administrative tasks for a third-party SaaS application are:

  • Enabling single sign-on with Azure AD, using password SSO or, if available for the target SaaS, federated SSO

  • Optionally, enabling account sync for user provisioning and deprovisioning (identity lifecycle management)

  • For applications where user provisioning is enabled, selecting which users have access to that application

Some third-party SaaS applications support authentication using accounts in Azure AD. If this feature is supported by an application, you need to first select the single sign-on mode you want to enable for an application:

Select the single sign-on mode for this app

Configuring authentication using an account in Azure AD, typically requires you to provide additional configuration settings such as certificates and metadata to create a federated trust between the third-party app and Azure AD. The configuration wizard walks you through the details and provides you with easy access to the SaaS application specific data and instructions.

Configuring user provisioning requires you to give Azure AD permissions to manage your accounts in the SaaS application. At a minimum, you need to provide credentials Azure AD should use when authenticating over to the target application. Whether additional configuration settings need to be provided depends on the requirements of the application.

The Access Panel is a separate portal next to the Azure Management Portal that end users can use to get single sign-on to one or more applications.

The Access Panel is available for users with an organizational account. Users can authenticate either to the Access Panel and Azure AD, or to their on-premises Windows Server Active Directory.

For more details, see Introduction to the Access Panel.

Access Panel Applications

Connecting to the access panel does not require the end user to have an Azure or Office 365 subscription. The user would require a license for Office365 or a subscription in the target SaaS application (if appropriate).

Federation-based SSO is currently supported by the following applications:

  • Box

  • Citrix GoToMeeting

  • Google Apps

  • Salesforce

  • Workday

  • Office 365 Exchange Online and SharePoint Online

User provisioning is supported by the following applications:

  • Box

  • Citrix GoToMeeting

  • Google Apps

  • Salesforce

Enabling user access to applications requires you to select the users you want to grant access to an application. If a user should not have access to an application, you can disable access to it.

The Azure AD application administration is available through the Azure Management Portal. The application administration is located in the Active Directory area, within your directory instance, under the Applications tab.

Applications could support any subset of the administration, identity management, and SSO capabilities described in this document.

For additional references about the application access enhancements for Azure AD and related tutorials, see Application access.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft