You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Create Azure Applications

EmpowerID provides a comprehensive wizard workflow called "Create Azure Application" to simplify and streamline the onboarding of Azure applications. This workflow offers various configurable parameters that allow you to modify the fields displayed during the onboarding process. Additionally, it includes settings to determine whether human approval is necessary before EmpowerID fulfills the request and provisions the application in Azure.

This article guides you through the process of creating an Azure application, encompassing the following steps:

  1. Configuring the parameters of the CreateAzureApplication workflow

  2. Defining the roles and ownership assigned by EmpowerID to application owners and deputies

  3. Specifying the approval process (human or automatic)

  4. Executing the workflow

  5. Confirming the results

By following these steps, you can successfully create an Azure application tailored to your organization's specific requirements and preferences.

Step 1: Configure workflow parameters

The Create Azure Application wizard workflow incorporates numerous customizable parameters, allowing you to modify the fields displayed to users running the workflow. These parameters are listed in the below table. By customizing these parameters, you can tailor the workflow to best suit your organization's needs and preferences.

Parameter

Description

Parameter

Description

App_Auth_AssignmentRequired_IsVisible

Boolean value to determine whether the Assignment Required? checkbox is visible. If false, the DefaultAssignmentRequired value should be set.

AppAuth_EnableUserSignIn_IsVisible

Boolean value to determine whether the Enabled for users to sign-in? checkbox is visible. If false, DefaultEnableUserSignIn value should be set.

AppAuth_SupportedAccountType_IsVisible

Set to true/false to show or hide the "Supported Account Types" section in the Application Instance step. If false, the DefaultSupportedAccountType value should be set.

AppExt_CAP_IsVisible

Boolean value to determine whether the Conditional Access Policy drop down is visible. AppExt_ExtensionTab_IsVisible should be true for this setting to take effect.

AppExt_ExtensionTab_IsVisible

Boolean to determine whether the Application Extension tab of the workflow is visible to users.

AppExt_ExtensionAttribute1_IsVisible

Boolean to determine whether the Application Extension Attribute 1 radio button option is visible. AppExt_ExtensionTab_IsVisible must be set to true for the radio button to be visible.

AppExt_ExtensionAttribute2_IsVisible

Boolean to determine whether the Application Extension Attribute 2 radio button option is visible. AppExt_ExtensionTab_IsVisible must be set to true for the radio button to be visible.

AppExt_ExtensionAttribute3_IsVisible

Boolean to determine whether the Application Extension Attribute 3 radio button option is visible. AppExt_ExtensionTab_IsVisible must be set to true for the radio button to be visible.

AppExt_ExtensionAttribute4_IsVisible

Boolean to determine whether the Application Extension Attribute 4 radio button option is visible. AppExt_ExtensionTab_IsVisible must be set to true for the radio button to be visible.

AppExt_ExtensionAttribute7_IsVisible

Boolean to determine whether the Application Extension Attribute 7 radio button option is visible. AppExt_ExtensionTab_IsVisible must be set to true for the radio button to be visible.

AppExt_ExtensionAttribute8_IsVisible

Boolean to determine whether the Application Extension Attribute 8 radio button option is visible. AppExt_ExtensionTab_IsVisible must be set to true for the radio button to be visible.

AppExt_ExtensionAttribute7_IsVisible

Boolean to determine whether the Application Extension Attribute 9 radio button option is visible. AppExt_ExtensionTab_IsVisible must be set to true for the radio button to be visible.

AppIAM_Eligibility_IsVisible

Set to true/false to show or hide the "IAM Shop Settings" step for configuring eligibility while onboarding an Azure application

ApplicationLineListDataItemSetName

This specifies the AzureAppApplicationLine list data set of the various application lines that appear to users when selecting the environment for the application.

Default list items include those shown below:

Β 

ApplicationType_Location_IsVisible

Boolean value that specifies whether the Select a location section of the workflow wizard form is visible to users. Set to true by default.

ApplicationType_Location_SelectaLocation_IsVisible

If ApplicationType_Location_IsVisible is true, this Boolean value determines if the Select a Location tree is visible. Set to true by default.

ApplicationType_Location_Tenant_IsVisible

If ApplicationType_Location_IsVisible is true, this Boolean value determines if the Select a tenant drop-down is visible. Set to true by default.

DefaultAzureRBACManagerAppName

Specifies the default Azure RBAC Manager application used by EmpowerID to manage Azure RBAC resources. Set to EIDAzureRBACManager by default.

DefaultAssignmentRequired

Boolean value on the Azure service principal that determines if users and apps or services must first be assigned the application before accessing it. Set to true by default.

DefaultAzureAppRoleGroupTypeID

INTERNAL: GroupTypeID of the app role groups that get created after the creation of the Azure application

DefaultAzureRBACManagerAppName

INTERNAL: Name of the protected application resource to get the access level settings for owners and deputies of the Azure application

DefaultAzureTenantID

This is the default value of the Azure Tenant to be selected in the β€œSelect a tenant” dropdown in the Application Instance step. The value must be set to the GUID of the Azure tenant

You can find the Tenant ID for your Azure tenant by navigating to Azure RBAC Manager > Resources and selecting the Tenants tab.

DefaultCreateAzureAppRoleGroup

Set to true to create App Role Groups after the creation of the Azure application. Based on the type of the application, this action might be a background task. Valid values are true or false

DefaultEmailMessageName

Name of the email template to use for notifying users on successful creation of the Azure application

DefaultEnabledUsersSignIn

Boolean value on the Azure Service Principal that determines if assigned users will be able to sign in to this application, either from My Apps, the User access URL, or by navigating to the application URL directly.

DefaultOrgZoneID

Optional setting that specifies the Org Zone ID of the EmpowerID location that should be populated in the Select a Location tree drop-down.

DefaultRequestableInIAM

Default value of the "Requestable in IAM Shop" checkbox in the IAM Shop Settings step. Valid values are true or false

DefaultSupportedAccountType

Default value of the "Support Account Type" field in the Application Instance step. Valid values are AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, and PersonalMicrosoftAccount.

ExtensionAttribute1ListDataItemSetName

INTERNAL: List data item set name containing the list of possible values for Extension Attribute 1

ExtensionAttribute2ListDataItemSetName

INTERNAL: List data item set name containing the list of possible values for Extension Attribute 2

ExtensionAttribute3ListDataItemSetName

INTERNAL: List data item set name containing the list of possible values for Extension Attribute 3

ExtensionAttribute4ListDataItemSetName

INTERNAL: List data item set name containing the list of possible values for Extension Attribute 4

IntegrationTypeListDataItemSetName

INTERNAL: List data item set name containing the list of possible values for application integration type

ListDataItemSetTypeName

INTERNAL: Base list data item set type name

NonGalleryTemplateID

INTERNAL: Azure Template ID for Non-gallery Azure application

ManagementRoleIDsToNotify

Comma separated list of Management Role IDs to be notified via email upon creation of the Azure application

SupportedAccountTypesOIDCListName

INTERNAL: List data item set name containing the list of SignInAudience values for OIDC application

SupportedAccountTypesTemplateListName

INTERNAL: List data item set name containing the list of SignInAudience values for Gallery & Non-Gallery applications


To configure workflow parameters, do the following:

  1. On the navbar, expand Low Code/No Code Workflow and select Low Code Workflows.

  2. Select the Workflow tab and search for Create Azure Application.

  3. Click the Display Name for the workflow.

    Β 

  4. On the View One page for the workflow, expand the Request Workflow Parameters accordion and search for the parameter you need to configure. In this example, we set the DefaultAzureTenantID parameter to the Azure tenant where applications are to be created.

    Β 

  5. Click the edit button for the parameter, enter the appropriate Azure Tenant ID in the Value field and click Save.

    Β 

  6. Configure any other settings as needed.

Step 2: Configure approval

The CreateAzureApplication workflow enables EmpowerID to either automatically provision Azure applications or require approval. This is determined by the Do not generate a business request (no approval) setting. If enabled, the application is provisioned instantly. If not, a business request for the application creation is generated and sent for approval. Upon approval, EmpowerID provisions the application in Azure.

To configure whether approval is needed or not, do the following:

  1. Navigate to the View One page for the workflow (as shown in Step 1 above) and click the Edit link to put the workflow in Edit mode.

    Β 

  2. On the Edit One page, toggle Do not generate a business request (no approval) as needed and save your changes.

Step 3: Configure owner and deputy roles

The Application Configuration settings of Azure RBAC Manager determine owner and deputy settings for Azure applications created in EmpowerID. These settings are listed in the below table.

Owner Settings

Description

Owner Settings

Description

AzureAppSingleOwnerCustomRole

AzLocalRole Name. This value determines the Custom Role assignment for the application owner in Azure. If value is empty, the user will be added as an Owner of the app registration in Azure. This user can view and edit the application registration.

AzureAppSingleOwnerAccessLevelID

Specifies the ID of the Access Level (ResourceTypeRole) that application owners should be granted. The default value is the Access Manager Access Level for the Azure application. The owner can assign or unassign any Access Levels for the resource directly by EmpowerID Location.

ProtectedAppSingleOwnerAccessLevelID

Specifies the ID of the Access Level (ResourceTypeRole) that protected application owners should be granted. The default value is the Access Manager for the protected application resource. The Access Manager is the owner of the resource and can manage/approve permissions assignments.

Deputy Settings

Description

AzureAppCustomRole1Name

This specifies the AzLocalRole name. This value determines the Custom Role assignment for ALL the deputies in Azure. If the value is empty, the deputies will be added as Owner(s) of the app registration in Azure. These user(s) can view and edit the application registration.

ProtectedAppMultiOwnerAccessLevelID

Specifies the ID of the Access Level (ResourceTypeRole) that deputies should be granted for the protected application resource in EmpowerID. Defaults to the ACT-Application-Object-Administration Access Level for the protected application resource. Deputies can perform create, update and delete operations on the protected application.

AzureAppMultiOwnerAccessLevelID

Specifies the ID of the Access Level (ResourceTypeRole) that deputies should be granted for the Azure application. Defaults to the ACT-Azure-Application-Administration Access Level for the Azure Application. Deputies can perform create, update and delete operations on the Azure application.

Β 

To configure custom owner and deputy role settings, do the following:

  1. On the navbar, expand Apps and Authentication and select Applications.

  2. From the Applications tab, search for RBAC and click the Display Name link for Azure RBAC Manager.


    This directs you to the View One page for the application. From this page, you can manage the application as needed.

    Β 

  3. On the View One page, select the App Resources tab and then expand the Application Configuration Settings accordion.

  4. Click the Edit button for any setting you need to configure with a custom value.

    Β 

  5. Save your changes.

Step 4: Run the workflow

  1. Navigate to the portal for the Resource Admin app in your environment.

  2. In Resource Admin, select Applications and then select the Workflows tab.

  3. Click Onboard Azure Application.


    This opens the Create Azure Application wizard workflow. Follow the wizard and fill in the fields of each section of the workflow with the appropriate information for your application.



  • Which Type of Azure Application Do You Wish to Onboard? – Select the type of application you wish to integrate with Azure. Types include:

    • Non-gallery Enterprise Applications (SAML)

    • Gallery Enterprise Applications (SAML)

    • Application Registration (OIDC)

  • In Which Environment Will It Be Deployed? – Select the appropriate environment for the application. Depending on the value of the AzureAppApplicationLine list data set, the choices displayed may differ from those below. The option selected has no effect on where the application is created; it is metadata that EmpowerID stores in an extension attribute on the application.

Β 

  • Select a Tenant – Search for and select the Azure tenant in which the application is to be created.

  • Select a Location – Select a location in EmpowerID for the application. This location is for RBAC delegation only.
    If there is a location selected by default and you wish to change it, click the link for the location and then search for and select the desired location from the Location tree.

Β 

  • Azure Application Name – Enter a name for the application

  • Azure Description – Enter a description for the application

Β 

Select the scope for selecting which accounts can use the application. Default options include the following:

  • Personal Microsoft accounts only

  • Accounts in this organizational directory only (Single tenant)

  • Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox)

  • Accounts in any organizational directory (Any Azure AD directory - Multitenant)

Β 

  • Application Owner – Search for and select the application owner. This field only returns people with an account in the Azure tenant.

  • Select Deputies – Search for and select one or more application deputies. This field only returns people with an account in the Azure tenant.

Β 

  • Select A Platform – Select a platform the application is targeting. Options include:

    • Web – Build, host, and deploy web server applications

    • Single-page application – Configure browser client applications and progressive web applications

    • Mobile and desktop applications – iOS/macOS, Android applications

  • Front-Channel Logout URL – Enter URL as needed

  • Issue Access token (used for implicit flows) – Select as needed

  • Issue ID tokens (used for implicit and hybrid flows) – Select as needed

  • Allow Public Client Flows – Specifies whether the application is a public client. Appropriate for apps using token grant flows that don’t use a redirect URI.

  • User Access Settings

    • Enabled for users to sign-in? – Enabled by default

    • Assignment required? – Enabled by default

Β 

  • Set Requestable Setting – Specifies whether the application is requestable in the IAM Shop. When selected, the settings below are relevant.

  • Select Access Request Policy – Select the Access Request policy that specifies how requests for the application are processed.

  • Select Assignees – Search for and select users who are eligible for the application. Users must have one of the below eligibility assignments to view the application in the IAM Shop.

    • Eligible Assignees – Choose the type (Person, Group, SetGroup, Management Role, Business Role and Location), and then search for and select the specific assignees eligible for the application.

    • Preapproved Assignees – Choose the type (Person, Group, SetGroup, Management Role, Business Role and Location), and then search for and select the specific assignees pre-approved for the application.

    • Suggested Assignees – Choose the type (Person, Group, SetGroup, Management Role, Business Role and Location), and then search for and select the specific assignees suggested for the application.

  1. Review the summary information for the application and then click Submit.

    If you configured the workflow to require approval, you should see that a business request for the Azure application was successfully created. Each designated approver must approve the business request before EmpowerID fulfills the request and creates the application.

    Β 

  2. Click Submit to exit the wizard.

Step 5: If configured: Approve the Business Request

If the workflow was configured to require approval, do the following to approve the business request; otherwise, move to Step 6 below and verify the application in Azure.

  1. Navigate to the portal for the My Tasks application and log in as a user who can approve the request.

  2. In My Tasks, select To Do and locate the Business Request for creating the application.

  3. Click the Pending button.

    Β 

  4. Click Run Workflow.

    Β 

  5. Review the information in the Running Approval Workflow dialog and click Approve.


    You should see the request is completed and pending fulfillment, which occurs when the system creates the application in Azure.

Results

After the request to create an Azure application has been approved and EmpowerID has fulfilled the request, you should be able to confirm the application has been created in Azure with the owner and deputies specified when the application was created.

  1. Log in to your Azure portal and navigate to Azure AD > Enterprise applications.

  2. Select All Applications as the Application type and then search for the application you just created.

    You should see the application.

  3. Click the Name link for the application to navigate to the Overview blade for the app.

  4. Under Manage, click Owners.

    You should see the Application owner and any deputies you specified for the application when you created it in EmpowerID.

Β