Versions Compared

Old Version 7

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

If your organization integrates applications with Azure AD, you can manage those applications in EmpowerID. This includes onboarding applications, assigning users to application roles, editing applications, and deleting applications. For onboarding applications, EmpowerID provides two options that can you can use depending on your organization’s policies:

  1. You can require any onboarding of Azure applications to go through an approval process before those applications are created in Azure

  2. You can allow applications to be onboarded without requiring any approvals.

In this article, you create a test application for your Azure AD tenant that requires the onboarding request to be approved before EmpowerID provisions it. To complete this, you will:

  1. Configure approval flow for any onboarding application requests

  2. Initiate the workflow used to onboard Azure applications

  3. Approve the onboarding request

  4. Verify the application in Azure after approval occurs.

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <div class = \"bd-callout bd-callout-info\">\r\n <h4>Prerequisites</h4>\r\n <p>To add an enterprise application to Azure, you need:</p>\r\n <ul>\r\n <li>An Azure AD tenant managed by EmpowerID</li>\r\n <li>One of the following Azure roles linked to the Service Principal EmpowerID uses to connect to Azure: Global Administrator, Cloud Application Administrator, or Application Administrator.</li>\r\n </ul>\r\n </div>","javascript":"","css":""}
Configure approval flow
The workflow used for onboarding Azure applications is the Create Azure Application workflow. This workflow has its Business Request Type property set to Azure Application, which uses the CreateAzureAppFlowPolicy Approval Flow Policy. This Approval Flow Policy has configurable Approver Resolver Rules that you can use to specify who needs to approve the request before EmpowerID provisions the application.
 Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <div class = \"bd-callout bd-callout-info\">\r\n <p>For a deeper dicussion of Approval flow in EmpowerID, please see the article <a href=\"https://dotnetworkflow.jira.com/wiki/spaces/EAGV21/pages/1660715893/Approval+Engine\"\r\n >Approval Engine</a>.</p>\r\n </div>","javascript":"","css":""}
  1. On the navbar, expand IT Shop and select Approval Flow Policies.
  2. Select the Approval Flow Steps tab and search for Azure Application Approval.
  3. Click the Name link for the Approval Flow Step.
  4. On the View One page for the Approval Flow Step, expand the Approver Resolver Rules accordion. 
  5. Click the Add [+] button. 
  6. In the Approver Determination Rule dialog that appears, enter the following information:
    1. Approval Resolver Type – Select Static Approver
    2. Which Type of Assignee For This Policy – Select the appropriate EmpowerID Actor type. Actor Types include:
      • Business Role and Location
      • Group
      • Management Role
      • Management Role Definition
      • Person
    3. Select <Actor> To Receive Policy – Select the specific actor who is to be the approver. For example, if you selected Person as the Actor Type, you select the specific Person here. 
    4. Click Save.
    5. Repeat the above for any other approvers you want to add.
    6. Click Submit.
Onboard an application 
  1. From the address of your browser, append the base URL for your EmpowerID portal with #w/CreateAzureApplication. The full URL should look similar to https://Your-EmpowerID-Server/ui/#w/CreateAzureApplication, where Your-EmpowerID-Server is the FQDN of your EmpowerID server. Navigate to the Resource Admin application portal for your environment.
  2. Select Applications from the dropdown menu and then click the Workflows tab.
  3. Click the Onboard Azure Application card.
    Image Added

    The Create Azure Application wizard opens to assist you with onboarding an Azure application. Applications that you can integrate 
    Image Added
  4. Enter the following information in the wizard:
    • Select Type of Integration – Select the type of application you want to integrate with Azure. Available types include Non-gallery Enterprise Applications (SAML), Gallery Enterprise Applications (SAML), and OIDC applications
    . In this example, OIDC application registration is being selected
    • . 
    Image Removed
    • Application EnvironmentSelect the 
     Application Environment
    • appropriate environment for the application. It is recommended that you select 
     an 
    • a non-production environment for initial testing.
    • Select a 
     tenant for 
    • Tenant – Select the Azure tenant where you want to create the application.
    • Select a Location – Select a location for the application in EmpowerID. Default Organization is selected by default; if you wish to change this, click the Default Organization link and then search for and 
     select 
    • choose the desired location from the Location tree.
  5. Click Next.
    Image Removed
    Give the application and Name and Description and then click Next.
    Image Removed

    Image Added
  6. Enter the following information on the next screen of the wizard:
    • Azure Application Name – Name of the application
    • Application Description – Description of the application
    • Enabled for users to sign-in? – Select this option to allow users to be able to sign in to the application, either from My Apps, the user access URL, or by navigating the application URL directly. If this option is not selected, users will not be able to sign in to the app, even if they are assigned to it.
    • Assignment required? – Select this option to require users and other apps or services be assigned to the application before being able to access it. If this option is not selected, then all users will be able to sign in, and other apps and services will be able to obtain an access token to this service. 
  7. Click Next.
    Image Added
  8. Select an Application Owner and one or more Deputies and then click Next.
     Insert excerpt
    IL:Bootstrap Wildcard Callout
    IL:Bootstrap Wildcard Callout
    nameAzureApplicationOwners
    nopaneltrue
    Image RemovedImage Added
  9. Review the information and click Next.
    You should see that a Business Request for the application was successfully created.
  10. Click Submit to exit the wizard.
 Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue
Approve the onboarding request
  1. Navigate to the My Tasks application as an approver for the Business Request. 
  2. In My Tasks, select the To Do view and then search for the Business Request.
  3. Click the Pending button for the request.
  4. Click Run Workflow.
  5. Review the information and click Approve or Reject as needed.

    You should see the task is completed. 
     Insert excerpt
    IL:Bootstrap Wildcard Callout
    IL:Bootstrap Wildcard Callout
    nameApplication Owner Approval
    nopaneltrue
  6. Refresh the To Do view of My Tasks and then search for the Business Request. 
  7. Click the Pending Item button for the request to navigate to the Overview page for it.
    You should see two pending items: One to assign the Azure application owner and the other to assign Azure application deputies.
  8. To approve or reject both items at once, click the Global Decision drop-down (the first drop-down) and select the desired decision. 
  9. Enter any comments and then click Submit.
Verify the application in Azure
  1. Log in to your Azure portal and navigate to Azure AD > App Registrations.
  2. Select All Applications and then search for the application you just created.
    You should see the application.
  3. Click the Name link for the application to navigate to the Overview blade for the app.
  4. Under Manage, click Owners.
    You should see the Application owner and any deputies you specified for the application.
 Div
stylefloat:left; position:fixed;
idarticleNav
IN THIS ARTICLE
 Table of Contents
maxLevel4
minLevel2
stylenone
printablefalse