Application access capabilities for Azure Active Directory
Published: July 8, 2013
Updated: September 1, 2015
Applies To: Azure
You can find a more recent version of this topic here.
This topic will be retired soon.
Many organizations rely upon software as a service (SaaS) applications such as Office 365, Box and Salesforce for end user productivity.
Historically, IT staff needs to individually create and update user accounts in each SaaS application, and users have to remember a password for each SaaS application. The application access enhancements for Azure Active Directory introduces security and access governance controls that enable you to centrally manage users' access across SaaS applications.
Azure AD enables easy integration to many of today’s popular SaaS applications; it provides identity and access management, and delivers an access panel for users where they can discover what application access they have and single sign-on (SSO) to access their applications.
The architecture of the integration consists of the following four main building blocks:
Single sign-on enables users to access their SaaS applications based on their organizational account in Azure Active Directory
User provisioning enables user provisioning and deprovisioning into target SaaS based on changes made in Windows Server Active Directory and/or Azure AD
Centralized application access management in the Azure Management Portal enables single point of SaaS application access and management
Unified reporting and monitoring of anomalous user activity in Azure AD
Configuring single sign-on enables the users in your organization to be automatically logged into a third-party SaaS application by Azure AD. This functionality provides the end user with the convenience of remembering only a single password while increasing the organization’s security by providing users with access to only their applications
Azure AD supports three different modes for single sign-on:
Configuring password-based single sign-on enables the users in your organization to be automatically signed in to a third-party SaaS application by Azure AD using the user account information from the third-party SaaS application. When you enable this feature, Azure AD collects and securely stores the user account information and the related password.
Azure AD can support password-based single sign on for any cloud-based app that has an HTML-based sign in page. By using a custom browser plugin, AAD automates the user’s sign in process via securely retrieving application credentials such as the username and the password from the directory, and enters these credentials into the application’s sign in page on behalf of the user. There are two use cases:
Administrator manages credentials –Administrators can create and manage application credentials, and assign those credentials to users or groups who need access to the application. In these cases, the end user does not need to know the credentials, but still gains single sign-on access to the application simply by clicking on it in their access panel or via a provided link. This enables both, lifecycle management of the credentials by the administrator, as well as convenience for end users whereby they do not need to remember or manage app-specific passwords. The credentials are obfuscated from the end user during the automated sign in process; however users and administrators should follow the same security policies as if the credentials were presented directly by the user. Administrator-provided credentials are very useful when providing account access that is shared among many users, such as social media or document sharing applications.
User manages credentials – Administrators can assign applications to end users or groups, and allow the end users to enter their own credentials directly upon accessing the application for the first time in their access panel. This creates a convenience for end users whereby they do not need to continually enter the app-specific passwords each time they access the application. This use case can also be used as a stepping stone to administrative management of the credentials, whereby the administrator can set new credentials for the application at a future date without changing the app access experience of the end user.
In both cases, credentials are stored in an encrypted state in the directory, and are only passed over HTTPS during the automated sign-in process. Using password-based single sign on, Azure AD offers a convenient identity access management solution for apps that are not capable of supporting federation protocols.
Password-based SSO relies on a browser extension to securely retrieve the application and user specific information from Azure AD and apply it to the service. Most third-party SaaS applications that are supported by Azure AD support this feature.
For password-based SSO, the end user’s browsers can be:
IE 8, IE9 and IE10 on Windows 7 or later
Chrome on Windows 7 or later or MacOS X or later
When configuring single sign-on for an application, the Azure management portal provides a third option of “Existing Single Sign-On”. This option simply allows the administrator to create a link to an application, and place it on the access panel for selected users. For example, if there is an application that is configured to authenticate users using Active Directory Federation Services 2.0, an administrator can use the “Existing Single Sign-On” option to create a link to it on the access panel. When users access the link, they are authenticated using Active Directory Federation Services 2.0, or whatever existing single sign-on solution is provided by the application
User provisioning enables automated user provisioning and deprovisioning of accounts in third-party SaaS applications from within the Azure Management Portal, using your Windows Server Active Directory or Azure AD identity information. When a user is given permissions in Azure AD for one of these applications, an account can be automatically created (provisioned) in the target SaaS application.
When a user is deleted or their information changes in Azure AD, these changes are also reflected in the SaaS application. This means, configuring automated identity lifecycle management enables administrators to control and provide automated provisioning and deprovisioning from SaaS applications. In Azure AD, this automation of identity lifecycle management is enabled by user provisioning.
The application access capabilities for Azure AD provide the following two user interface (UI) components:
The Active Directory extension in the Azure Management Portal UI where you can go to configure your third-party applications
The Access Panel UI where end users can go to get single sign-on access to the applications that you manage from within the Active Directory extension
The following sections provide more details about both interfaces.
You can use the Active Directory extension in the Azure Management Portal to configure the application access enhancements for Azure AD.
As a first step, you need to select a directory from the Active Directory section in the portal:
To manage your third-party SaaS applications, you can switch into the applications view of the selected directory. This view enables administrators to:
Add new applications
Delete integrated applications
Manage the applications they have already integrated
Typical administrative tasks for a third-party SaaS application are:
Enabling single sign-on with Azure AD, using password SSO or, if available for the target SaaS, federated SSO
Optionally, enabling user provisioning for user provisioning and deprovisioning (identity lifecycle management)
For applications where user provisioning is enabled, selecting which users have access to that application
Some third-party SaaS applications support authentication using accounts in Azure AD. If this feature is supported by an application, you need to first select the single sign-on mode you want to enable for an application:
Configuring authentication using an account in Azure AD, typically requires you to provide additional configuration settings such as certificates and metadata to create a federated trust between the third-party app and Azure AD. The configuration wizard walks you through the details and provides you with easy access to the SaaS application specific data and instructions.
Configuring user provisioning requires you to give Azure AD permissions to manage your accounts in the SaaS application. At a minimum, you need to provide credentials Azure AD should use when authenticating over to the target application. Whether additional configuration settings need to be provided depends on the requirements of the application.
The Access Panel is a separate portal next to the Azure Management Portal that end users can use to get single sign-on to one or more applications.
The Access Panel is available for users with an organizational account. Users can authenticate either to the Access Panel and Azure AD, or to their on-premises Windows Server Active Directory.
For more details, see Introduction to the Access Panel.
Connecting to the access panel does not require the end user to have an Azure or Office 365 subscription. The user would require a license for Office365 or a subscription in the target SaaS application (if appropriate).
For a list of applications supported by Azure Active Directory, see the Azure Active Directory application galley.
The Azure AD application administration is available through the Azure Management Portal. The application administration is located in the Active Directory area, within your directory instance, under the Applications tab.
Applications could support any subset of the administration, identity management, and SSO capabilities described in this document.
For additional references about the application access enhancements for Azure AD and related tutorials, see Application access.
ConceptsIntroduction to the Access Panel
Other ResourcesAzure Active Directory application gallery : SSO-ready SaaS apps