Skip to main content

Onboarding Azure Applications

This guide provides step-by-step instructions for onboarding Azure applications into EmpowerID. The process includes application creation, configuration, authentication setup, and integration into the IAM Shop.

Step 1: Navigate to Onboard Azure Application

  • Navigate to the Resource Admin portal in your environment.
  • Select Applications and then click the Workflows tab.
  • Click Onboard Azure Application. This opens the Create Azure Application Wizard.

Step 2: Complete Azure Application Wizard

  • Which Type of Azure Application Do You Wish to Onboard? Select the type of application you wish to integrate with Azure. Types include:
    • Non-gallery Enterprise Applications (SAML)
    • Gallery Enterprise Applications (SAML)
    • Application Registration (OIDC)
  • In Which Environment Will It Be Deployed? Select the appropriate environment for the application.
    • Depending on the value of the AzureAppApplicationLine list data set, the choices displayed may differ from those below.
    • The option selected has no effect on where the application is created; it is metadata that EmpowerID stores in an extension attribute on the application.
  • Select a Location & Tenant
    info

    The visibility of this section of the form and the controls within it are controlled by the following workflow parameters:

    • ApplicationType_Location_IsVisible
    • ApplicationType_Location_Tenant_IsVisible
    • ApplicationType_Location_SelectaLocation_IsVisible
    • Select a Tenant: Search for and select the Azure tenant in which the application is to be created.
    • Select a Location: Choose a location in EmpowerID for the application. This location is used for RBAC delegation only. If a default location is already selected and you wish to change it, click the location link, then search for and select the desired location from the Location tree.
  • Application Instance Details
    • Azure Application Name: Enter a name for the application.
    • Azure Description: Enter a description for the application.
  • Supported Account Types Select the scope for selecting which accounts can use the application. Default options include the following:
    • Personal Microsoft accounts only
    • Accounts in this organizational directory only (Single tenant)
    • Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox)
    • Accounts in any organizational directory (Any Azure AD directory - Multitenant)
  • Owners and Deputies
    info

    Users selected as Application Owner and Deputies will be given the Configuration Owner role for the application in Azure.

    • Application Owner: Search for and select the application owner. This field only returns people with an account in the Azure tenant.
    • Select Deputies: Search for and select one or more application deputies. This field only returns people with an account in the Azure tenant.
  • Application Authentication
    • Select a platform the application is targeting. Options include:
      • Web: Build, host, and deploy web server applications.
      • Single-page application: Configure browser client applications and progressive web applications.
      • Mobile and desktop applications: iOS/macOS and Android applications.
    • Front-Channel Logout URL: Enter the URL as needed.
    • Issue Access Token (used for implicit flows): Select as needed.
    • Issue ID Tokens (used for implicit and hybrid flows): Select as needed.
    • Allow Public Client Flows: Specifies whether the application is a public client. This is appropriate for apps using token grant flows that don’t use a redirect URI. -User Access Settings
      • Enabled for users to sign-in?: Enabled by default.
      • Assignment required?: Enabled by default.
  • IAM Shop Settings
    • Set Requestable Setting: Specifies whether the application is requestable in the IAM Shop. When selected, the following settings are relevant:
    • Select Access Request Policy: Choose the policy that specifies how requests for the application are processed.
    • Select Assignees: Search for and select users eligible for the application. Users must have one of the following eligibility assignments to view the application in the IAM Shop:
    • Eligible Assignees: Choose the type (Person, Group, SetGroup, Management Role, Business Role and Location), then search for and select the specific assignees eligible for the application.
    • Preapproved Assignees: Choose the type (Person, Group, SetGroup, Management Role, Business Role and Location), then search for and select the specific assignees pre-approved for the application.
    • Suggested Assignees: Choose the type (Person, Group, SetGroup, Management Role, Business Role and Location), then search for and select the specific assignees suggested for the application.

Step 3: Finalize Updates

  • Review the summary information for the application and click Submit.
    info

    If you configured the workflow to require approval, a business request for the Azure application will be created. Each designated approver must approve the business request before EmpowerID fulfills the request and creates the application.

  • Click Submit to exit the wizard.