Differentiate between SSO enabled Enterprise Apps and the apps used for identity purpose

Question

Differentiate between SSO enabled Enterprise Apps and the apps used for identity purpose

Apurva Pathak 735

Hi folks, Hope you are doing well! I've written a PowerShell script to monitor the certificate expiry of Enterprise Applications in our Tenant but the problem that script is taking all those managed identities as well which are created by Azure for different resources (for e.g. Automation Account Run as account identities, managed identities for VMs etc.). This adds up a lot of number to the total apps and causes a lot of run time to the script. Could you please help me know if there is any such property which help me distinguish between these two types of Enterprise Applications.

Any help is highly appreciated! Cheers! Apurva

Accepted answer

0 additional answers

Your answer

Answer 1

Azar 29,520 MVP Volunteer Moderator

Hey
Apurva Pathak

Thats a great question thanks for posting it on QandA platform.

Firstly the SSO, the Purpose of these applications are typically configured in AzureAD to enable Single Sign-On for users. Users can sign in to these applications using their Azure AD credentials. so this SSO-enabled apps often have configurations related to user authentication, authorization and etc

secondly the Apps Used for Identity Purposes . the purpose of these are not applications that users interact with directly. Managed identities are service principals created by Azure for various resources eg, vms etc, to enable secure communication with Azure services and other resources.

These managed identities don't have user interfaces or SSO configurations. They exist for the purpose of providing an identity to a resource, allowing it to authenticate and authorize against other Azure resources.

finally if you want to filter out managed identities and focus only on SSO-enabled Enterprise Applications, follow this below

Check for SSO-enabled Enterprise Applications often have Sign-On URLs or Reply URLs configured.

You can filter applications based on the presence of these URLs.

you can Use the ServicePrincipal object in PowerShell to fetch more details about each application.

If this helps kindluy accept the answer thanks much.

Apurva Pathak 735 Reputation points

2024-01-30T15:55:30.9033333+00:00

Thanks for the comment @azar Could you please help me with any such property which can help me distinguish between these two in PowerShell. For e.g. SSO enabled Enterprise app can have PropertyX: ValueY, so that I can add a logic to omit all such apps with PropertyX: ValueY

Azar 29,520 MVP Volunteer Moderator

Hey again lemme help you, here is the powershell. script making changes as you needed.

# Get all service principals
$servicePrincipals = Get-AzureADServicePrincipal

foreach ($sp in $servicePrincipals) {
    # Check if Sign-On URL or Reply URL is present
    if ($sp.SignInAudience -eq "AzureADMyOrg" -or $sp.ReplyUrls.Count -gt 0) {
        # This is an SSO-enabled Enterprise Application
        Write-Host "SSO-enabled App: $($sp.DisplayName)"
    } else {
        # This may be a managed identity
        Write-Host "Managed Identity: $($sp.DisplayName)"
    }
}

Don't forget to accept the answer if it helps.

Apurva Pathak 735 Reputation points

2024-01-30T17:16:47.8066667+00:00

Thanks a lot, this does help! Thanks again! Cheers!

Share via

Differentiate between SSO enabled Enterprise Apps and the apps used for identity purpose

0 additional answers

Your answer