Versions Compared

Old Version 1

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 2

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

If you have deployed the EmpowerID Azure AD SCIM microservice to Azure and your organization integrates applications with Azure AD, you can manage those applications in EmpowerID to include:

  • Creating and deleting applications

  • Assigning owners and deputies to applications

  • Creating application certificates and secrets

  • Creating application roles and scopes

  • Assigning users to application roles

  • Assign eligibility to applications to specify who can and cannot request access

  • Etc.

The workflow used to create Azure applications is the CreateAzureApplication workflow. This workflow has a number of parameters that you can configure to alter the fields that appear when onboarding Azure applications, as well as settings that determine whether human approval is required before EmpowerID fulfills the request and provisions the application in Azure. This article walks through the process for creating an Azure application and demonstrates the following:

  • Configuring the parameters of the CreateAzureApplication

  • Configuring the roles and ownership EmpowerID assigns to application owners and deputies

  • Specifying the approval process (human or automatic)

  • Running the workflow

  • Verifying the results

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <div class = \"bd-callout bd-callout-info\">\r\n <h4>Prerequisites</h4>\r\n <p>To add an enterprise application to Azure, you need:</p>\r\n <ul>\r\n <li>An Azure AD tenant managed by EmpowerID</li>\r\n <li>One of the following Azure roles linked to the Service Principal EmpowerID uses to connect to Azure: Global Administrator, Cloud Application Administrator, or Application Administrator.</li>\r\n </ul>\r\n <p class = \"bd-callout bd-callout-success\">To run the <b>CreateAzureApplication</b> workflow,\r\n users must have the <b>UI-Res-Admin-MS-Application</b> Management Role.</p>\r\n </div>","javascript":"","css":""}
Step 1: Configure workflow parameters
The workflow for onboarding Azure applications is CreateAzureApplication. The workflow has several parameters that affect field values. These parameters are listed in the below table. In this example, you set the DefaultAzureTenantID parameter to the Azure tenant where applications are to be created.
 Excerpt
nameCreateAzureAppWParameters
Parameter
Description
App_Auth_AssignmentRequired_IsVisible
Boolean value to determine whether the Assignment Required? checkbox is visible. If false, the DefaultAssignmentRequired value should be set.
AppAuth_EnableUserSignIn_IsVisible
Boolean value to determine whether the Enabled for users to sign-in? checkbox is visible. If false, DefaultEnableUserSignIn value should be set.
AppAuth_SupportedAccountType_IsVisible
Set to true/false to show or hide the "Supported Account Types" section in the Application Instance step. If false, the DefaultSupportedAccountType value should be set.
AppExt_CAP_IsVisible
Boolean value to determine whether the Conditional Access Policy drop down is visible. AppExt_ExtensionTab_IsVisible should be true for this setting to take effect.
AppExt_ExtensionTab_IsVisible
Boolean to determine whether the Application Extension tab of the workflow is visible to users.
AppExt_ExtensionAttribute1_IsVisible
Boolean to determine whether the Application Extension Attribute 1 radio button option is visible. AppExt_ExtensionTab_IsVisible must be set to true for the radio button to be visible. 
AppExt_ExtensionAttribute2_IsVisible
Boolean to determine whether the Application Extension Attribute 2 radio button option is visible. AppExt_ExtensionTab_IsVisible must be set to true for the radio button to be visible.
AppExt_ExtensionAttribute3_IsVisible
Boolean to determine whether the Application Extension Attribute 3 radio button option is visible. AppExt_ExtensionTab_IsVisible must be set to true for the radio button to be visible.
AppExt_ExtensionAttribute4_IsVisible
Boolean to determine whether the Application Extension Attribute 4 radio button option is visible. AppExt_ExtensionTab_IsVisible must be set to true for the radio button to be visible.
AppExt_ExtensionAttribute7_IsVisible
Boolean to determine whether the Application Extension Attribute 7 radio button option is visible. AppExt_ExtensionTab_IsVisible must be set to true for the radio button to be visible.
AppExt_ExtensionAttribute8_IsVisible
Boolean to determine whether the Application Extension Attribute 8 radio button option is visible. AppExt_ExtensionTab_IsVisible must be set to true for the radio button to be visible.
AppExt_ExtensionAttribute7_IsVisible
Boolean to determine whether the Application Extension Attribute 9 radio button option is visible. AppExt_ExtensionTab_IsVisible must be set to true for the radio button to be visible.
AppIAM_Eligibility_IsVisible
Set to true/false to show or hide the "IAM Shop Settings" step for configuring eligibility while onboarding an Azure application
ApplicationLineListDataItemSetName
This specifies the AzureAppApplicationLine list data set of the various application lines that appear to users when selecting the environment for the application. 
Default list items include those shown below:
ApplicationType_Location_IsVisible
Boolean value that specifies whether the Select a location section of the workflow wizard form is visible to users. Set to true by default.
ApplicationType_Location_SelectaLocation_IsVisible
If ApplicationType_Location_IsVisible is true, this Boolean value determines if the Select a Location tree is visible. Set to true by default.
ApplicationType_Location_Tenant_IsVisible
If ApplicationType_Location_IsVisible is true, this Boolean value determines if the Select a tenant drop-down is visible. Set to true by default.
DefaultAzureRBACManagerAppName
Specifies the default Azure RBAC Manager application used by EmpowerID to manage Azure RBAC resources. Set to EIDAzureRBACManager by default.
DefaultAssignmentRequired
Boolean value on the Azure service principal that determines if users and apps or services must first be assigned the application before accessing it. Set to true by default.
DefaultAzureAppRoleGroupTypeID
INTERNAL: GroupTypeID of the app role groups that get created after the creation of the Azure application
DefaultAzureRBACManagerAppName
INTERNAL: Name of the protected application resource to get the access level settings for owners and deputies of the Azure application
DefaultAzureTenantID
This is the GUID default value of the Azure tenant. If the value is present, the Select a Tenant drop-down will be auto filled with the specified tenant.Tenant to be selected in the “Select a tenant” dropdown in the Application Instance step. The value must be set to the GUID of the Azure tenant
You can find the Tenant ID for your Azure tenant by navigating to 
 Azure RBAC Manager > Resources and selecting the Tenants tab.
DefaultEmailMessageID
DefaultCreateAzureAppRoleGroup
Set to true to create App Role Groups after the creation of the Azure application. Based on the type of the application, this action might be a background task. Valid values are true or false
DefaultEmailMessageName
Name of the email template to use for notifying users on successful creation of the Azure application
DefaultEnabledUsersSignIn
Boolean value on the Azure Service Principal that determines if assigned users will be able to sign in to this application, either from My Apps, the User access URL, or by navigating to the application URL directly.
DefaultOrgZoneID
Optional setting that specifies the Org Zone ID of the EmpowerID location that should be populated in the Select a Location tree drop-down. 
DefaultRequestableInIAM
Default value of the "Requestable in IAM Shop" checkbox in the IAM Shop Settings step. Valid values are true or false
DefaultSupportedAccountType
Default value that specifies the Microsoft accounts that are supported for the application. 
ExtensionAttribute1ListDataItemSetName
Boolean to determine whether the Application Extension Attribute 1 radio button option is visible.
ExtensionAttribute2ListDataItemSetName
This points to the AzureAppExtensionAttribute2Choice list data set for displaying custom radio button options. The selected value is stored in the ExtensionAttribute2 attribute of the Protected Application in EmpowerID.
ExtensionAttribute3ListDataItemSetName
This points to the AzureAppExtensionAttribute3Choice list data set for displaying custom radio button options. The selected value is stored in the ExtensionAttribute3 attribute of the Protected Application in EmpowerID.
ExtensionAttribute4ListDataItemSetName
This points to the AzureAppExtensionAttribute4Choice list data set for displaying custom radio button options. The selected value is stored in the ExtensionAttribute4 attribute of the Protected Application in EmpowerID.
IntegrationTypeListDataItemSetName
This points to the AzureAppTypeOfIntegration list data set of the various Application Integration Types. By default, the list contains OIDC, SAML Gallery & SAML Non-Gallery options.
ListDataItemSetTypeName
Internal field for displaying list data items. Do not change the value.
NonGalleryTemplateID
Specifies the default template for creating non-gallery applications. Do not change the value.
ManagementRoleIDsToNotify
Specifies the ID of the Management Role whose members are to be notified each time an Azure application is created.
SupportedAccTypesOIDCListName
This points to the AzureAppSupportedAccountTypes list data set for displaying supported account type radio button options. 
Default list items include those shown below:
Image Removed
SupportedAccountTypesTemplateListName
of the "Support Account Type" field in the Application Instance step. Valid values are AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, and PersonalMicrosoftAccount.
ExtensionAttribute1ListDataItemSetName
INTERNAL: List data item set name containing the list of possible values for Extension Attribute 1
ExtensionAttribute2ListDataItemSetName
INTERNAL: List data item set name containing the list of possible values for Extension Attribute 2
ExtensionAttribute3ListDataItemSetName
INTERNAL: List data item set name containing the list of possible values for Extension Attribute 3
ExtensionAttribute4ListDataItemSetName
INTERNAL: List data item set name containing the list of possible values for Extension Attribute 4
IntegrationTypeListDataItemSetName
INTERNAL: List data item set name containing the list of possible values for application integration type
ListDataItemSetTypeName
INTERNAL: Base list data item set type name
NonGalleryTemplateID
INTERNAL: Azure Template ID for Non-gallery Azure application
ManagementRoleIDsToNotify
Comma separated list of Management Role IDs to be notified via email upon creation of the Azure application
SupportedAccountTypesOIDCListName
INTERNAL: List data item set name containing the list of SignInAudience values for OIDC application
SupportedAccountTypesTemplateListName
INTERNAL: List data item set name containing the list of SignInAudience values for Gallery & Non-Gallery applications

To configure workflow parameters, do the following:
  1. On the navbar, expand Object Administration and select Workflows.
  2. Select the Workflow tab and search for Create Azure Application.
  3. Click the Display Name for the workflow.
    Image Modified
     
  4. On the View One page for the workflow, expand the Request Workflow Parameters accordion and search for the DefaultAzureTenantID parameter. 
    Image Modified
     
  5. Click the edit button for the parameter, enter the appropriate Azure Tenant ID in the Value field and click Save.
    Image Modified
     
  6. Configure any other settings as needed.
Step 2: Configure approval
The CreateAzureApplication workflow can be configured to allow the EmpowerID system to automatically provision an application in Azure when submitted by an authorized user or to require approval by one or more people before EmpowerID fulfills the request. The setting that determines whether approval is needed is enables EmpowerID to either automatically provision Azure applications or require approval. This is determined by the Do not generate a business request (no approval) setting. If enabled on the workflow, EmpowerID provisions the application without requiring approval; if deselected, EmpowerID generates is provisioned instantly. If not, a business request to create application an Azure application and routes the request for the application creation is generated and sent for approval. Once approvedUpon approval, EmpowerID fulfills the request and provisions the application in Azure.
To configure whether approval is needed or not, do the following:
  1. Navigate to the View One page for the workflow (as shown in Step 1 above) and click the Edit (blue star) link to put the workflow in Edit mode.
    Image Modified
  2. On the Edit One page, toggle Do not generate a business request (no approval) as needed and save your changes. 
    Image Modified
Step 3: Configure owner and deputy roles
Owner The Application Configuration settings of Azure RBAC Manager determine owner and deputy settings for Azure applications created in EmpowerID are determined by the Application Configuration settings of Azure RBAC Manager. These settings are listed in the below table.
Owner Settings
Description
AzureAppSingleOwnerCustomRole
AzLocalRole Name. This value determines the Custom Role assignment for the application owner in Azure. If value is empty, the user will be added as an Owner of the app registration in Azure. This user can view and edit the application registration.
AzureAppSingleOwnerAccessLevelID
Specifies the ID of the Access Level (ResourceTypeRole) that application owners should be granted. The default value is the Access Manager Access Level for the Azure application. The owner can assign or unassign any Access Levels for the resource directly by EmpowerID Location.
ProtectedAppSingleOwnerAccessLevelID
Specifies the ID of the Access Level (ResourceTypeRole) that protected application owners should be granted. The default value is the Access Manager for the protected application resource. The Access Manager is the owner of the resource and can manage/approve permissions assignments.
Deputy Settings
Description
AzureAppCustomRole1Name
This specifies the AzLocalRole name. This value determines the Custom Role assignment for ALL the deputies in Azure. If the value is empty, the deputies will be added as Owner(s) of the app registration in Azure. These user(s) can view and edit the application registration.
ProtectedAppMultiOwnerAccessLevelID
Specifies the ID of the Access Level (ResourceTypeRole) that deputies should be granted for the protected application resource in EmpowerID. Defaults to the ACT-Application-Object-Administration Access Level for the protected application resource. Deputies can perform create, update and delete operations on the protected application.
AzureAppMultiOwnerAccessLevelID
Specifies the ID of the Access Level (ResourceTypeRole) that deputies should be granted for the Azure application. Defaults to the ACT-Azure-Application-Administration Access Level for the Azure Application. Deputies can perform create, update and delete operations on the Azure application.
To configure custom owner and deputy role settings, do the following:
  1. On the navbar, expand Apps and Authentication and select Applications.
  2. From the Applications tab, search for RBAC and 
 then 
  1.  click the Display Name link for Azure RBAC Manager.
    Image Modified

    This directs you to the View One page for the application. From this page, you can manage the application as needed.
    Image Modified
  2. On the View One page, select the App Resources tab and then expand the Application Configuration Settings accordion.
  3. Click the Edit (blue star) button for any setting you need to configure with a custom value.
    Image Modified
  4. Save your changes.
Step 4: Run the workflow
  1. Navigate to the portal for the Resource Admin app in your environment.
  2. In Resource Admin, select Applications and then select the Workflows tab.

Image Removed
  2. Click Onboard Azure Application. 
Image Removed
  1. Image Added

    This opens the Create Azure Application wizard workflow. Follow the wizard and fill in the fields of each section of the workflow with the appropriate information for your application.
Image Removed
  1. Image Added


     Insert excerpt
    IL:Azure App
    IL:Azure App
    nameCreateAzureAppWF-Screen1
    nopaneltrue
  2. Review the summary information for the application and then click Submit.

    If you configured the workflow to require approval, you should see that a business request for the Azure application was successfully created. 
 The 
  1. Each designated approver must approve the business request 
 must be approved by each designated approver 
  1.  before EmpowerID fulfills the request and creates the application.
    Image Modified
  2. Click Submit to exit the wizard.
     Insert excerpt
    IL:External Stylesheet
    IL:External Stylesheet
    nopaneltrue
Step 5: If configured: Approve the Business Request 
If the workflow was configured to require approval, do the following to approve the business request; otherwise, move to Step 6 below and verify the application in Azure.
  1. Navigate to the portal for the My Tasks application and log in as a user who can approve the request.
  2. In My Tasks, select To Do and locate the Business Request for creating the application
 and click 
  1. .
  2. Click the Pending button.
Image Removed
  1. Image Added
  2. Click Run Workflow.
Image Removed
  1. Image Added
  2. Review the information in the Running Approval Workflow dialog and click Approve.
Image Removed
  1. Image Added

    You should see the request is completed and pending fulfillment, which occurs when the system creates the application in Azure. 
Image Removed
  1. Image Added
Step 6: Verify the application in Azure
After the request to create an Azure application has been approved and EmpowerID has fulfilled the request, you should be able to confirm the application has been created in Azure with the owner and deputies specified when the application was created. 
  1. Log in to your Azure portal and navigate to Azure AD > Enterprise applications.
  2. Select All Applications as the Application type and then search for the application you just created.
    You should see the application.
  3. Click the Name link for the application to navigate to the Overview blade for the app.
  4. Under Manage, click Owners.
    You should 
 seethe 
  1. see the Application owner and any deputies you specified for the application when you created it in EmpowerID.
 Div
stylefloat:left; position:fixed;
idarticleNav
IN THIS ARTICLE
 Table of Contents
maxLevel4
minLevel2
stylenone
printablefalse