Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
If your organization integrates applications with Azure AD, you can manage those applications in EmpowerID. This includes onboarding applications, assigning users to application roles, editing applications, and deleting applications. For onboarding applications, EmpowerID provides two options that can you can use depending on your organization’s policies:
You can require any onboarding of Azure applications to go through an approval process before those applications are created in Azure
You can allow applications to be onboarded without requiring any approvals.
In this article, you create a test application for your Azure AD tenant that requires the onboarding request to be approved before EmpowerID provisions it. To complete this, you will:
Configure approval flow for any onboarding application requests
Initiate the workflow used to onboard Azure applications
Approve the onboarding request
Verify the application in Azure after approval occurs.
Easy html macro | ||||
---|---|---|---|---|
| ||||
Configure approval flow
The workflow used for onboarding Azure applications is the Create Azure Application workflow. This workflow has its Business Request Type property set to Azure Application, which uses the CreateAzureAppFlowPolicy Approval Flow Policy. This Approval Flow Policy has configurable Approver Resolver Rules that you can use to specify who needs to approve the request before EmpowerID provisions the application.
Easy html macro | ||||
---|---|---|---|---|
| ||||
On the navbar, expand IT Shop and select Approval Flow Policies.
Select the Approval Flow Steps tab and search for Azure Application Approval.
Click the Name link for the Approval Flow Step.
On the View One page for the Approval Flow Step, expand the Approver Resolver Rules accordion.
Click the Add [+] button.
In the Approver Determination Rule dialog that appears, enter the following information:
Approval Resolver Type – Select Static Approver
Which Type of Assignee For This Policy – Select the appropriate EmpowerID Actor type. Actor Types include:
Business Role and Location
Group
Management Role
Management Role Definition
Person
Select <Actor> To Receive Policy – Select the specific actor who is to be the approver. For example, if you selected Person as the Actor Type, you select the specific Person here.
Click Save.
Repeat the above for any other approvers you want to add.
Click Submit.
Onboard an application
From the address of your browser, append the base URL for your EmpowerID portal with
#w/CreateAzureApplication
. The full URL should look similar tohttps://Your-EmpowerID-Server/ui/#w/CreateAzureApplication
, whereYour-EmpowerID-Server
is the FQDN of your EmpowerID server. Navigate to the Resource Admin application portal for your environment.Select Applications from the dropdown menu and then click the Workflows tab.
Click the Onboard Azure Application card.
Image Added
Image Added
The Create Azure Application wizard opens to assist you with onboarding an Azure application. Applications that you can integrateEnter the following information in the wizard:
Select Type of Integration – Select the type of application you want to integrate with Azure. Available types include Non-gallery Enterprise Applications (SAML), Gallery Enterprise Applications (SAML), and OIDC applications
.
Application Environment – Select the
appropriate environment for the application. It is recommended that you select
a non-production environment for initial testing.
Select a
Tenant – Select the Azure tenant where you want to create the application.
Select a Location – Select a location for the application in EmpowerID. Default Organization is selected by default; if you wish to change this, click the Default Organization link and then search for and
choose the desired location from the Location tree.
Click Next.
Image RemovedGive the application and Name and Description and then click Next.
Image Removed
Image AddedEnter the following information on the next screen of the wizard:
Azure Application Name – Name of the application
Application Description – Description of the application
Enabled for users to sign-in? – Select this option to allow users to be able to sign in to the application, either from My Apps, the user access URL, or by navigating the application URL directly. If this option is not selected, users will not be able to sign in to the app, even if they are assigned to it.
Assignment required? – Select this option to require users and other apps or services be assigned to the application before being able to access it. If this option is not selected, then all users will be able to sign in, and other apps and services will be able to obtain an access token to this service.
Click Next.
Image AddedSelect an Application Owner and one or more Deputies and then click Next.
Image RemovedImage AddedInsert excerpt IL:Bootstrap Wildcard Callout IL:Bootstrap Wildcard Callout name AzureApplicationOwners nopanel true Review the information and click Next.
You should see that a Business Request for the application was successfully created.
Click Submit to exit the wizard.
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|
Navigate to the My Tasks application as an approver for the Business Request.
In My Tasks, select the To Do view and then search for the Business Request.
Click the Pending button for the request.
Click Run Workflow.
Review the information and click Approve or Reject as needed.
You should see the task is completed.Insert excerpt IL:Bootstrap Wildcard Callout IL:Bootstrap Wildcard Callout name Application Owner Approval nopanel true Refresh the To Do view of My Tasks and then search for the Business Request.
Click the Pending Item button for the request to navigate to the Overview page for it.
You should see two pending items: One to assign the Azure application owner and the other to assign Azure application deputies.To approve or reject both items at once, click the Global Decision drop-down (the first drop-down) and select the desired decision.
Enter any comments and then click Submit.
Verify the application in Azure
Log in to your Azure portal and navigate to Azure AD > App Registrations.
Select All Applications and then search for the application you just created.
You should see the application.
Click the Name link for the application to navigate to the Overview blade for the app.
Under Manage, click Owners.
You should see the Application owner and any deputies you specified for the application.
Div | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
IN THIS ARTICLE
|