If your organization integrates applications with Azure AD, you can manage those applications in EmpowerID. This includes onboarding applications, assigning users to application roles, editing applications, and deleting applications. For onboarding applications, EmpowerID provides two options that you can use depending on your organization’s policies:
You can require any onboarding of Azure applications to go through an approval process before those applications are created in Azure
You can allow applications to be onboarded without requiring any approvals.
The workflow used to create an Azure Application without requiring approvals is the CreateAzureApplication workflow. This workflow has a number of parameters that you can configure to alter the fields that appear when onboarding Azure applications. In this article, you do the following:
Configure the parameters of the CreateAzureApplication workflow for your environment
Configure the roles and ownership EmpowerID assigns to application owners and deputies during the creation of the application
Run the workflow to onboard an Azure application
Step 1: Configure workflow parameters
The workflow for onboarding Azure applications is CreateAzureApplication. The workflow has several parameters that affect field values. These parameters are listed in the below table. In this example, you set the DefaultAzureTenantID parameter to the Azure tenant where applications are to be created.
Parameter | Description |
|---|---|
ApplicationLineListDataItemSetName | This specifies the AzureAppApplicationLine list data set of the various application lines that appear to users when selecting the environment for the application. Default list items include those shown below:  |
ApplicationType_Location_IsVisible | Boolean value that specifies whether the Select a location section of the workflow wizard form is visible to users. Set to true by default.  |
ApplicationType_Location_SelectaLocation_IsVisible | If ApplicationType_Location_IsVisible is true, this Boolean value determines if the Select a Location tree is visible. Set to true by default. |
ApplicationType_Location_Tenant_IsVisible | If ApplicationType_Location_IsVisible is true, this Boolean value determines if the Select a tenant drop-down is visible. Set to true by default. |
DefaultAssignmentRequired | Boolean value on the Azure service principal that determines if users and apps or services must first be assigned the application before accessing it. Set to true by default. |
DefaultAzureTenantID | This is the GUID of the Azure tenant. If the value is present, the Select a Tenant” drop-down will be auto filled with the specified tenant. You can find the Tenant ID for your Azure tenant by navigating to  |
DefaultEnabledUsersSignIn | Boolean value on the Azure Service Principal that determines if assigned users will be able to sign in to this application, either from My Apps, the User access URL, or by navigating to the application URL directly. |
DefaultOrgZoneID | Optional setting that specifies the Org Zone ID of the EmpowerID location that should be populated in the Select a Location tree drop-down. |
DefaultSupportedAccountType | Default value that specifies the Microsoft accounts that are supported for the application. |
ExtensionAttribute1ListDataItemSetName | Boolean to determine whether the Application Extension Attribute 1 radio button option is visible. |
ExtensionAttribute2ListDataItemSetName | This points to the AzureAppExtensionAttribute2Choice list data set for displaying custom radio button options. The selected value is stored in the ExtensionAttribute2 attribute of the Protected Application in EmpowerID. |
ExtensionAttribute3ListDataItemSetName | This points to the AzureAppExtensionAttribute3Choice list data set for displaying custom radio button options. The selected value is stored in the ExtensionAttribute3 attribute of the Protected Application in EmpowerID. |
ExtensionAttribute4ListDataItemSetName | This points to the AzureAppExtensionAttribute4Choice list data set for displaying custom radio button options. The selected value is stored in the ExtensionAttribute4 attribute of the Protected Application in EmpowerID. |
IntegrationTypeListDataItemSetName | This points to the AzureAppTypeOfIntegration list data set of the various Application Integration Types. By default, the list contains OIDC, SAML Gallery & SAML Non-Gallery options. |
isAssignmentRequiredVisible | Boolean value to determine whether the Assignment Required? checkbox is visible. |
isCAPVisible | Boolean value to determine whether the Conditional Access Policy drop down is visible. |
isEnabledUsersSignInVisible | Boolean value to determine whether the Enabled for users to sign-in? checkbox is visible. |
isExtensionAttribute1Visible | Boolean to determine whether the Application Extension Attribute 1 radio button option is visible. |
isExtensionAttribute2Visible | Boolean to determine whether the Application Extension Attribute 2 radio button option is visible. |
isExtensionAttribute3Visible | Boolean to determine whether the Application Extension Attribute 3 radio button option is visible. |
isExtensionAttribute4Visible | Boolean to determine whether the Application Extension Attribute 4 radio button option is visible. |
isExtensionAttribute7Visible | Boolean to determine whether the Application Extension Attribute 7 radio button option is visible. |
ListDataItemSetTypeName | Internal field for displaying list data items. Do not change the value. |
NonGalleryTemplateID | Specifies the default template for creating non-gallery applications. Do not change the value. |
SupportedAccTypesListName | This points to the AzureAppSupportedAccountTypes list data set for displaying supported account type radio button options.  |
To configure workflow parameters, do the following:
On the navbar, expand Object Administration and select Workflows.
Select the Workflow tab and search for Create Azure Application.
Click the Display Name for the workflow.
Â
On the Workflow Details page for the workflow, expand the Request Workflow Parameters accordion and search for the DefaultAzureTenantID parameter.
Â
Click the edit button for the parameter, enter the appropriate Azure Tenant ID in the Value field and click Save.
Â
Configure any other settings as needed.
Step 2: Configure owner and deputy roles
Owner and deputy settings for Azure applications created in EmpowerID are determined by the Application Configuration settings of Azure RBAC Manager. These settings are listed in the below table.
Owner Settings | Description |
|---|---|
AzureAppSingleOwnerCustomRole | AzLocalRole Name. This value determines the Custom Role assignment for the application owner in Azure. If value is empty, the user will be added as an Owner of the app registration in Azure. This user can view and edit the application registration. |
AzureAppSingleOwnerAccessLevelID | Specifies the ID of the Access Level (ResourceTypeRole) that application owners should be granted. The default value is the Access Manager Access Level for the Azure application. The owner can assign or unassign any Access Levels for the resource directly by EmpowerID Location. |
ProtectedAppSingleOwnerAccessLevelID | Specifies the ID of the Access Level (ResourceTypeRole) that protected application owners should be granted. The default value is the Access Manager for the protected application resource. The Access Manager is the owner of the resource and can manage/approve permissions assignments. |
Deputy Settings | Description |
AzureAppCustomRole1Name | This specifies the AzLocalRole name. This value determines the Custom Role assignment for ALL the deputies in Azure. If the value is empty, the deputies will be added as Owner(s) of the app registration in Azure. These user(s) can view and edit the application registration. |
ProtectedAppMultiOwnerAccessLevelID | Specifies the ID of the Access Level (ResourceTypeRole) that deputies should be granted for the protected application resource in EmpowerID. Defaults to the ACT-Application-Object-Administration Access Level for the protected application resource. Deputies can perform create, update and delete operations on the protected application. |
AzureAppMultiOwnerAccessLevelID | Specifies the ID of the Access Level (ResourceTypeRole) that deputies should be granted for the Azure application. Defaults to the ACT-Azure-Application-Administration Access Level for the Azure Application. Deputies can perform create, update and delete operations on the Azure application. |
To configure owner and deputy role settings, do the following:
On the navbar, expand Apps and Authentication and select Applications.
From the Applications tab, search for RBAC and then click the Display Name link for Azure RBAC Manager.
This directs you to the View One page for the application. From this page, you can manage the application as needed.
On the View One page, select the App Resources tab and then expand the Application Configuration Settings accordion.
Click the Edit
button for any setting you need to configure with a custom value.
Save your changes.
Step 3: Run the workflow
Navigate to the portal for the Resource Admin app in your environment.
In Resource Admin, select Applications and then select the Workflows tab.
Click Onboard Azure Application.
This opens the Create Azure Application wizard workflow. Follow the wizard and fill in the fields of each section of the workflow with the appropriate information for your application.
Which Type of Azure Application Do You Wish to Onboard? – Select the type of application you wish to integrate with Azure. Types include:
Non-gallery Enterprise Applications (SAML)
Gallery Enterprise Applications (SAML)
Application Registration (OIDC)
In Which Environment Will It Be Deployed? – Select the appropriate environment for the application. Depending on the value of the AzureAppApplicationLine list data set, the choices displayed may differ from those below. The option selected has no effect on where the application is created; it is metadata that EmpowerID stores in an extension attribute on the application.
Select a Tenant – Search for and select the Azure tenant in which the application is to be created.
Select a Location – Select a location in EmpowerID for the application. This location is for RBAC delegation only.
If there is a location selected by default and you wish to change it, click the link for the location and then search for and select the desired location from the Location tree.
Azure Application Name – Enter a name for the application
Azure Description – Enter a description for the application
Select the scope for selecting which accounts can use the application. Default options include the following:
Personal Microsoft accounts only
Accounts in this organizational directory only (Single tenant)
Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox)
Accounts in any organizational directory (Any Azure AD directory - Multitenant)
Application Owner – Search for and select the application owner. This field only returns people with an account in the Azure tenant.
Select Deputies – Search for and select one or more application deputies. This field only returns people with an account in the Azure tenant.
Select A Platform – Select a platform the application is targeting. Options include:
Web – Build, host, and deploy web server applications
Single-page application – Configure browser client applications and progressive web applications
Mobile and desktop applications – iOS/macOS, Android applications
Front-Channel Logout URL – Enter URL as needed
Issue Access token (used for implicit flows) – Select as needed
Issue ID tokens (used for implicit and hybrid flows) – Select as needed
Allow Public Client Flows – Specifies whether the application is a public client. Appropriate for apps using token grant flows that don’t use a redirect URI.
User Access Settings
Enabled for users to sign-in? – Enabled by default
Assignment required? – Enabled by default
Set Requestable Setting – Specifies whether the application is requestable in the IAM Shop. When selected, the below settings are relevant.
Select Access Request Policy – Select the Access Request policy that specifies how requests for the application are processed.
Select Assignees – Search for and select users who are eligible for the application. Users must have one of the below eligibility assignments to view the application in the IAM Shop.
Eligible Assignees – Choose the type (Person, Group, SetGroup, Management Role, Business Role and Location), and then search for and select the specific assignees eligible for the application.
Preapproved Assignees – Choose the type (Person, Group, SetGroup, Management Role, Business Role and Location), and then search for and select the specific assignees pre-approved for the application.
Suggested Assignees – Choose the type (Person, Group, SetGroup, Management Role, Business Role and Location), and then search for and select the specific assignees suggested for the application.
Review the summary information for the application and then click Submit.
Click Submit to exit the wizard.
Verify the application in Azure
Log in to your Azure portal and navigate to Azure AD > Enterprise applications.
Select All Applications as the Application type and then search for the application you just created.
You should see the application.
Click the Name link for the application to navigate to the Overview blade for the app.
Under Manage, click Owners.
You should the Application owner and any deputies you specified for the application when you created it in EmpowerID.