You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Skip to end of banner
Go to start of banner

Onboard Azure Applications - Approval Required

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

If your organization integrates applications with Azure AD, you can manage those applications in EmpowerID. This includes onboarding applications, assigning users to application roles, editing applications, and deleting applications. For onboarding applications, EmpowerID provides two options that can you can use depending on your organization’s policies:

  1. You can require any onboarding of Azure applications to go through an approval process before those applications are created in Azure

  2. You can allow applications to be onboarded without requiring any approvals.

In this article, you create a test application for your Azure AD tenant that requires the onboarding request to be approved before EmpowerID provisions it. To complete this, you will:

  1. Configure approval flow for any onboarding application requests

  2. Initiate the workflow used to onboard Azure applications

  3. Approve the onboarding request

  4. Verify the application in Azure after approval occurs.

Configure approval flow

The workflow used for onboarding Azure applications is the Create Azure Application workflow. This workflow has its Business Request Type property set to Azure Application, which uses the CreateAzureAppFlowPolicy Approval Flow Policy. This Approval Flow Policy has configurable Approver Resolver Rules that you can use to specify who needs to approve the request before EmpowerID provisions the application.

  1. On the navbar, expand IT Shop and select Approval Flow Policies.

  2. Select the Approval Flow Steps tab and search for Azure Application Approval.

  3. Click the Name link for the Approval Flow Step.

  4. On the View One page for the Approval Flow Step, expand the Approver Resolver Rules accordion.

  5. Click the Add [+] button.

  6. In the Approver Determination Rule dialog that appears, enter the following information:

    1. Approval Resolver Type – Select Static Approver

    2. Which Type of Assignee For This Policy – Select the appropriate EmpowerID Actor type. Actor Types include:

      • Business Role and Location

      • Group

      • Management Role

      • Management Role Definition

      • Person

    3. Select <Actor> To Receive Policy – Select the specific actor who is to be the approver. For example, if you selected Person as the Actor Type, you select the specific Person here.

    4. Click Save.

    5. Repeat the above for any other approvers you want to add.

    6. Click Submit.

Onboard an application

  1. From the address of your browser, append the base URL for your EmpowerID portal with #w/CreateAzureApplication. The full URL should look similar to https://Your-EmpowerID-Server/ui/#w/CreateAzureApplication, where Your-EmpowerID-Server is the FQDN of your EmpowerID server.

  2. The Create Azure Application wizard opens to assist you with onboarding an Azure application. Applications that you can integrate include Non-gallery Enterprise Applications (SAML), Gallery Enterprise Applications (SAML), and OIDC applications. In this example, OIDC application registration is being selected.

  3. Select the Application Environment. It is recommended that you select an non-production environment for initial testing.

  4. Select a tenant for the application.

  5. Select a Location in EmpowerID. Default Organization is selected by default; if you wish to change this, click the link and then search for and select the desired location from the Location tree.

  6. Click Next.

  7. Give the application and Name and Description and then click Next.

  8. Select an Application Owner and one or more Deputies and then click Next.

  9. Review the information and click Next.

    You should see that a Business Request for the application was successfully created.

  10. Click Submit to exit the wizard.

Approve the onboarding request

  1. Navigate to the My Tasks application as an approver for the Business Request.

  2. In My Tasks, select the To Do view and then search for the Business Request.

  3. Click the Pending button for the request.

  4. Click Run Workflow.

  5. Review the information and click Approve or Reject as needed.


    You should see the task is completed.

  6. Refresh the To Do view of My Tasks and then search for the Business Request.

  7. Click the Pending Item button for the request to navigate to the Overview page for it.
    You should see two pending items: One to assign the Azure application owner and the other to assign Azure application deputies.

  8. To approve or reject both items at once, click the Global Decision drop-down (the first drop-down) and select the desired decision.

  9. Enter any comments and then click Submit.

Verify the application in Azure

  1. Log in to your Azure portal and navigate to Azure AD > App Registrations.

  2. Select All Applications and then search for the application you just created.

    You should see the application.

  3. Click the Name link for the application to navigate to the Overview blade for the app.

  4. Under Manage, click Owners.

    You should the Application owner and any deputies you specified for the application.

  • No labels