You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Onboard Azure Applications - Approval Required

If your organization integrates applications with Azure AD, you can manage those applications in EmpowerID. This includes onboarding applications, assigning users to application roles, editing applications, and deleting applications. For onboarding applications, EmpowerID provides two options that can you can use depending on your organization’s policies:

  1. You can require any onboarding of Azure applications to go through an approval process before those applications are created in Azure

  2. You can allow applications to be onboarded without requiring any approvals.

In this article, you create a test application for your Azure AD tenant that requires the onboarding request to be approved before EmpowerID provisions it. To complete this, you will:

  1. Configure approval flow for any onboarding application requests

  2. Initiate the workflow used to onboard Azure applications

  3. Approve the onboarding request

  4. Verify the application in Azure after approval occurs.

Configure approval flow

The workflow used for onboarding Azure applications is the Create Azure Application workflow. This workflow has its Business Request Type property set to Azure Application, which uses the CreateAzureAppFlowPolicy Approval Flow Policy. This Approval Flow Policy has configurable Approver Resolver Rules that you can use to specify who needs to approve the request before EmpowerID provisions the application.

  1. On the navbar, expand IT Shop and select Approval Flow Policies.

  2. Select the Approval Flow Steps tab and search for Azure Application Approval.

  3. Click the Name link for the Approval Flow Step.

     

  4. On the View One page for the Approval Flow Step, expand the Approver Resolver Rules accordion.

  5. Click the Add [+] button.

  6. In the Approver Determination Rule dialog that appears, enter the following information:

    1. Approval Resolver Type – Select Static Approver

    2. Which Type of Assignee For This Policy – Select the appropriate EmpowerID Actor type. Actor Types include:

      • Business Role and Location

      • Group

      • Management Role

      • Management Role Definition

      • Person

    3. Select <Actor> To Receive Policy – Select the specific actor who is to be the approver. For example, if you selected Person as the Actor Type, you select the specific Person here.

    4. Click Save.

    5. Repeat the above for any other approvers you want to add.

    6. Click Submit.

Onboard an application

  1. Navigate to the Resource Admin application portal for your environment.

  2. Select Applications from the dropdown menu and then click the Workflows tab.

  3. Click the Onboard Azure Application card.


    The Create Azure Application wizard opens to assist you with onboarding an Azure application.

     

  4. Enter the following information in the wizard:

    • Select Type of Integration – Select the type of application you want to integrate with Azure. Available types include Non-gallery Enterprise Applications (SAML), Gallery Enterprise Applications (SAML), and OIDC applications.

    • Application Environment – Select the appropriate environment for the application. It is recommended that you select a non-production environment for initial testing.

    • Select a Tenant – Select the Azure tenant where you want to create the application.

    • Select a Location – Select a location for the application in EmpowerID. Default Organization is selected by default; if you wish to change this, click the Default Organization link and then search for and choose the desired location from the Location tree.

  5. Click Next.

     

  6. Enter the following information on the next screen of the wizard:

    • Azure Application Name – Name of the application

    • Application Description – Description of the application

    • Enabled for users to sign-in? – Select this option to allow users to be able to sign in to the application, either from My Apps, the user access URL, or by navigating the application URL directly. If this option is not selected, users will not be able to sign in to the app, even if they are assigned to it.

    • Assignment required? – Select this option to require users and other apps or services be assigned to the application before being able to access it. If this option is not selected, then all users will be able to sign in, and other apps and services will be able to obtain an access token to this service.

  7. Click Next.

     

  8. Select an Application Owner and one or more Deputies and then click Next.

     

  9. Review the information and click Next.

    You should see that a Business Request for the application was successfully created.

     

  10. Click Submit to exit the wizard.

Approve the onboarding request

  1. Navigate to the My Tasks application as an approver for the Business Request.

  2. In My Tasks, select the To Do view and then search for the Business Request.

  3. Click the Pending button for the request.

     

  4. Click Run Workflow.

     

  5. Review the information and click Approve or Reject as needed.


    You should see the task is completed.

  6. Refresh the To Do view of My Tasks and then search for the Business Request.

  7. Click the Pending Item button for the request to navigate to the Overview page for it.
    You should see two pending items: One to assign the Azure application owner and the other to assign Azure application deputies.

     

  8. To approve or reject both items at once, click the Global Decision drop-down (the first drop-down) and select the desired decision.

     

  9. Enter any comments and then click Submit.

     

Verify the application in Azure

  1. Log in to your Azure portal and navigate to Azure AD > App Registrations.

  2. Select All Applications and then search for the application you just created.

    You should see the application.

     

  3. Click the Name link for the application to navigate to the Overview blade for the app.

  4. Under Manage, click Owners.

    You should see the Application owner and any deputies you specified for the application.