If your organization integrates applications with Azure AD, you can manage those applications in EmpowerID. This includes onboarding applications, assigning users to application roles, editing applications, and deleting applications. For onboarding applications, EmpowerID provides two options that you can use depending on your organization’s policies:
You can require any onboarding of Azure applications to go through an approval process before those applications are created in Azure
You can allow applications to be onboarded without requiring any approvals.
The workflow used to create an Azure Application without requiring approvals is the CreateAzureApplication workflow.
In this article, you create a test application for your Azure AD tenant without requiring approvals and verify that application in Azure.
Onboard an application without approvals
Navigate to the portal for the Resource Admin app in your environment.
In Resource Admin, select Applications and then select the Workflows tab.
Click Onboard Azure Application.
This opens the Create Azure Application wizard workflow. Fill in the appropriate information in the wizard to create the application.
Which Type of Azure Application Do You Wish to Onboard? – Select the type of application you wish to integrate with Azure. Types include:
Non-gallery Enterprise Applications (SAML)
Gallery Enterprise Applications (SAML)
Application Registration (OIDC)
In Which Environment Will It Be Deployed? – Select the appropriate environment for the application. Depending on the value of the AzureAppApplicationLine list data set, the choices displayed may differ from those below. The option selected has no effect on where the application is created; it is metadata that EmpowerID stores in an extension attribute on the application.
Select a Tenant – Search for and select the Azure tenant in which the application is to be created.
Select a Location – Select a location in EmpowerID for the application. This location is for RBAC delegation only.
If there is a location selected by default and you wish to change it, click the link for the location and then search for and select the desired location from the Location tree.
Azure Application Name – Enter a name for the application
Azure Description – Enter a description for the application
Select the scope for selecting which accounts can use the application. Default options include the following:
Personal Microsoft accounts only
Accounts in this organizational directory only (Single tenant)
Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox)
Accounts in any organizational directory (Any Azure AD directory - Multitenant)
Application Owner – Search for and select the application owner. This field only returns people with an account in the Azure tenant.
Select Deputies – Search for and select one or more application deputies. This field only returns people with an account in the Azure tenant.
Select A Platform – Select a platform the application is targeting. Options include:
Web – Build, host, and deploy web server applications
Single-page application – Configure browser client applications and progressive web applications
Mobile and desktop applications – iOS/macOS, Android applications
Front-Channel Logout URL – Enter URL as needed
Issue Access token (used for implicit flows) – Select as needed
Issue ID tokens (used for implicit and hybrid flows) – Select as needed
Allow Public Client Flows – Specifies whether the application is a public client. Appropriate for apps using token grant flows that don’t use a redirect URI.
User Access Settings
Enabled for users to sign-in? – Enabled by default
Assignment required? – Enabled by default
Set Requestable Setting – Specifies whether the application is requestable in the IAM Shop. When selected, the below settings are relevant.
Select Access Request Policy – Select the Access Request policy that specifies how requests for the application are processed.
Select Assignees – Search for and select users who are eligible for the application. Users must have one of the below eligibility assignments to view the application in the IAM Shop.
Eligible Assignees – Choose the type (Person, Group, SetGroup, Management Role, Business Role and Location), and then search for and select the specific assignees eligible for the application.
Preapproved Assignees – Choose the type (Person, Group, SetGroup, Management Role, Business Role and Location), and then search for and select the specific assignees pre-approved for the application.
Suggested Assignees – Choose the type (Person, Group, SetGroup, Management Role, Business Role and Location), and then search for and select the specific assignees suggested for the application.
Click Next to advance to the next step.
Give the application and Name and Description.
Under Advanced Settings:
Select Enabled for users to sign-in? as needed
Select Assignment required? as needed
Click Next to advance to the next step.
Select an Application Owner and one or more Deputies and then click Next to advance to the next step.
Review the summary information for the application and then click Submit.
You should see that the application was successfully created in Azure.
Click Submit to exit the wizard.
Verify the application in Azure
Log in to your Azure portal and navigate to Azure AD > Enterprise applications.
Select All Applications as the Application type and then search for the application you just created.
You should see the application.
Click the Name link for the application to navigate to the Overview blade for the app.
Under Manage, click Owners.
You should the Application owner and any deputies you specified for the application when you created in EmpowerID.
