MS-100 Configure Application Access

May 31st, 2019 | Posted by admin in Exchange

Configure Application Registration in Azure AD

Registering the application means that your developers can use Azure AD to authenticate users and request access to user resources such as email, calendar, and documents.

Registering an application allows any user to do the following:

  • Get an identity for their application that Azure AD recognizes
  • Get one or more secrets/keys that the application can use to authenticate itself to AD
  • Brand the application in the Azure portal with a custom name, logo, etc.
  • Apply Azure AD authorization features to their app, including:
    • Role-Based Access Control (RBAC)
    • Azure Active Directory as OAuth authorization server (secure an API exposed by the application)

  • Declare required permissions necessary for the application to function as expected, including:
    • App permissions (global administrators only). For example: Role membership in another Azure AD application or role membership relative to an Azure Resource, Resource Group, or Subscription
    • Delegated permissions (any user). For example: Azure AD, Sign-in, and Read Profile

Users can register an application by default. We can control the application registration by users by disabling the App registration option.

Azure Portal -> Azure AD -> User Settings -> App Registrations -> Select No and Save.

In addition to the above, we have the below application registration settings to manage for Enterprise Applications. Choose the required option for your organization.

Configure the app to require user assignment and assign users

By default, users can access applications without being assigned. However, if the application exposes roles or if you want the application to appear on a user’s access panel, you should require user assignment.

Suppress user consent

By default, each user goes through a consent experience to sign in. The consent experience, asking users to grant permissions to an application, can be disconcerting for users who are unfamiliar with making such decisions.

If we are disabling Application Registration option for end users, only Global Administrator can perform Application Registration. To delegate the permission, we have two Azure AD Roles

Application Administrator: Users in this role can add, manage, and configure enterprise applications, app registrations and manage on-premises like app proxy.

Application Developer: Users in this role will continue to be able to register app registrations even if the Global Admin has turned off the tenant level switch for “Users can register apps”.

 

Configure Azure AD application proxy

Using Azure AD Application Proxy service helps to integrate the On-Premise application with Azure AD. Refer the below link for additional information.

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-add-on-premises-application

 

You need to understand the additional settings available for when adding an Enterprise Application and the cookie settings. You can expect one questions from this.

 

Publish Enterprise Apps in Azure AD

Enterprise Applications Published will be available in Access Panel for end users. We can search for application in the Gallery and publish them for the Users. Below are the default applications published.

Azure Portal -> Azure AD -> Enterprise Application

Publish an Enterprise Application

Click on New Application and Search for the application from the gallery and add it to your organization.

We can modify the settings of an app like SSO / User provisioning once it is added.

You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.

Leave a Reply