So far, you’ve learned about configuring a Microsoft 365 tenant and configuring access, roles, and security pertaining to resources primarily located in the Microsoft 365 environment. In this chapter, we’re going to expand into managing access to additional applications—whether they’re on-premises or other cloud-based SaaS applications.
This chapter covers the following exam objectives:
- Planning access and authentication
- Configuring application registration
- Managing user permissions for application registrations
- Managing OAuth application requests
- Configuring Azure AD Application Proxy
- Publishing enterprise applications in Azure AD
That’s a number of objectives, so let’s dive in!
Planning access and authentication
Prior to the explosion of cloud-based SaaS applications, organizations that purchased applications or connected to partner organizations would commonly configure identity federation with the entity hosting an application. One of the most common methods was through Active Directory Federation Services (AD FS).
With the advent of cloud-based applications and widespread adoption of the Security Assertion Markup Language (SAML) and OpenID Connect standards, it’s easier than ever to connect your organization’s users to third-party applications.
Authentication frameworks
Both Security Assertion Markup Language and OpenID Connect are standard frameworks for authentication (AuthN) and authorization (AuthZ). Both frameworks allow developers to create applications that obtain and exchange identity information from an external or trusted directory instead of having to maintain an identity store in the application. This helps consumers of these applications manage a single identity store connected to all of their applications instead of having to manage identity separately for each application or service they use.
As a Microsoft 365 administrator, you’re likely responsible for deploying, implementing, or otherwise integrating applications into your organization’s Azure AD environment.
Configuring application registration
When you want to use Azure AD as the identity provider (IdP) for an application, you need to register the application with Azure AD. Registering an application with Azure AD establishes a trust relationship between the application (trusting) and the Microsoft Azure AD identity platform (trustee).
Understanding application registration
The registration process allows Azure AD to understand the details of the application, such as the URL of the service, and where to send authentication replies. Applications can request access to Azure resources, so be sure to carefully examine what permissions are needed.
In addition to providing the basic details of the application, registration also grants the following benefits:
- Allows for branding customization of the sign-in dialog box
- Allows you to limit the scope of sign-in: single-tenant, for applications that are only accessible to your own organization’s users or multi-tenant, for applications that are available to users whose identities are managed outside your Azure AD boundary (such as LinkedIn, Google, and other Microsoft identity platforms)
- Allows you to request scope permissions, such as user.read or directory.read
- Allows you to define scopes that the application is allowed to access
- Allows you to share client secrets for secure data applications
Let’s see it in action!