Versions Compared

Old Version 5

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 6

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

If your organization integrates applications with Azure AD, you can manage those applications in EmpowerID. This includes onboarding applications, assigning users to application roles, editing applications, and deleting applications. For onboarding applications, EmpowerID provides two options that can you can use depending on your organization’s policies:

  1. You can require any onboarding of Azure applications to go through an approval process before those applications are created in Azure

  2. You can allow applications to be onboarded without requiring any approvals.

In this article, you create a test application for your Azure AD tenant that requires the onboarding request to be approved before EmpowerID provisions it. To complete this, you will:

  1. Configure approval flow for any onboarding application requests

  2. Initiate the workflow used to onboard Azure applications

  3. Approve the onboarding request

  4. Verify the application in Azure after approval occurs.

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <div class = \"bd-callout bd-callout-info\">\r\n <h4>Prerequisites</h4>\r\n <p>To add an enterprise application to Azure, you need:</p>\r\n <ul>\r\n <li>An Azure AD tenant managed by EmpowerID</li>\r\n <li>One of the following Azure roles linked to the Service Principal EmpowerID uses to connect to Azure: Global Administrator, Cloud Application Administrator, or Application Administrator.</li>\r\n </ul>\r\n </div>","javascript":"","css":""}
Configure approval flow
The workflow used for onboarding Azure applications is the Create Azure Application workflow. This workflow has its Business Request Type property set to Azure Application, which uses the CreateAzureAppFlowPolicy Approval Flow Policy. This Approval Flow Policy has configurable Approver Resolver Rules that you can use to specify who needs to approve the request before EmpowerID provisions the application.
 Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <div class = \"bd-callout bd-callout-info\">\r\n <p>For a deeper dicussion of Approval flow in EmpowerID, please see the article <a href=\"https://dotnetworkflow.jira.com/wiki/spaces/EAGV21/pages/1660715893/Approval+Engine\"\r\n >Approval Engine</a>.</p>\r\n </div>","javascript":"","css":""}
  1. On the navbar, expand IT Shop and select Approval Flow Policies.
  2. Select the Approval Flow Steps tab and search for Azure Application Approval.
  3. Click the Name link for the Approval Flow Step.
  4. On the View One page for the Approval Flow Step, expand the Approver Resolver Rules accordion. 
  5. Click the Add [+] button. 
  6. In the Approver Determination Rule dialog that appears, enter the following information:
    1. Approval Resolver Type – Select Static Approver
    2. Which Type of Assignee For This Policy – Select the appropriate EmpowerID Actor type. Actor Types include:
      • Business Role and Location
      • Group
      • Management Role
      • Management Role Definition
      • Person
    3. Select <Actor> To Receive Policy – Select the specific actor who is to be the approver. For example, if you selected Person as the Actor Type, you select the specific Person here. 
    4. Click Save.
    5. Repeat the above for any other approvers you want to add.
    6. Click Submit.
Onboard an application 
  1. From the address of your browser, append the base URL for your EmpowerID portal with #w/CreateAzureApplication. The full URL should look similar to https://Your-EmpowerID-Server/ui/#w/CreateAzureApplication, where Your-EmpowerID-Server is the FQDN of your EmpowerID server. 
  2. The Create Azure Application wizard opens to assist you with onboarding an Azure application. Applications that you can integrate include Non-gallery Enterprise Applications (SAML), Gallery Enterprise Applications (SAML), and OIDC applications. In this example, OIDC application registration is being selected.
  3. Select the Application Environment. It is recommended that you select an non-production environment for initial testing.
  4. Select a tenant for the application.
  5. Select a Location in EmpowerID. Default Organization is selected by default; if you wish to change this, click the link and then search for and select the desired location from the Location tree.
  6. Click Next.
  7. Give the application and Name and Description and then click Next.
  8. Select an Application Owner and one or more Deputies and then click Next.
     Insert excerpt
    IL:Bootstrap Wildcard Callout
    IL:Bootstrap Wildcard Callout
    nameAzureApplicationOwners
    nopaneltrue
  9. Review the information and click Next.
    You should see that a Business Request for the application was successfully created.
  10. Click Submit to exit the wizard.
 Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue
Approve the onboarding request
  1. Navigate to the My Tasks application as an approver for the Business Request. 
  2. In My Tasks, select the To Do view and then search for the Business Request.
  3. Click the Pending button for the request.
  4. Click Run Workflow.
  5. Review the information and click Approve or Reject as needed.

    You should see the task is completed. 
     Insert excerpt
    IL:Bootstrap Wildcard Callout
    IL:Bootstrap Wildcard Callout
    nameApplication Owner Approval
    nopaneltrue
  6. Refresh the To Do view of My Tasks and then search for the Business Request. 
  7. Click the Pending Item button for the request to navigate to the Overview page for it.
    You should see two pending items: One to assign the Azure application owner and the other to assign Azure application deputies.
  8. To approve or reject both items at once, click the Global Decision drop-down (the first drop-down) and select the desired decision. 
  9. Enter any comments and then click Submit.
Verify the application in Azure
  1. Log in to your Azure portal and navigate to Azure AD > App Registrations.
  2. Select All Applications and then search for the application you just created.
    You should see the application.
  3. Click the Name link for the application to navigate to the Overview blade for the app.
  4. Under Manage, click Owners.
    You should see the Application owner and any deputies you specified for the application.
 Div
stylefloat:left; position:fixed;
idarticleNav
IN THIS ARTICLE
 Table of Contents
maxLevel4
minLevel2
stylenone
printablefalse