Azure AD Self Service Application Access
Self-service application access is a feature of Azure Active Directory Premium that allow directory administrators to:
- Enable users to request access to applications using a “Get more applications” tile in the Azure AD access panel
- Set which applications users can request access to
- Set whether or not an approval is required for users to be able to self-assign access to an application
- Set who should approve the requests for each application
Today this capability is in public preview, and is supported for all pre-integrated apps that support federated or password-based single sign-on in the Azure Active Directory app gallery, including apps like Salesforce, Dropbox, Google Apps, and more.
Configuring self-service application access
To enable self-service application access and configured which applications can be added or requested by your end users, follow the instructions below.
**1. ** Sign into the Azure management portal.
**2. ** Under the Active Directory section, select your directory, then select the Configure tab.
**3. ** Near the bottom of the page, set Allow users to self-assign access to enabled applications to Yes, and click Save to enable the feature.
Note: If this option does not appear, then you may not have licenses of Azure AD Premium assigned. You can get a trial of Azure AD Premium here: http://azure.microsoft.com/en-us/trial/get-started-active-directory/
**4. ** Next, select the Applications tab. Select the Add button, and use the gallery option to select and add an application.
**5. ** After your app has been added, you’ll get the app Quick Start page. Click Configure Single Sign-On, select the desired single sign-on mode, and save the configuration.
**6. ** Next, select the Configure tab. To enable users to request access to this app from the Azure AD access panel, set Allow self-service application access to Yes.
**7. ** To optionally configure an approval workflow for access requests, set Require approval before granting access to Yes. Then one or more approvers can be selected using the Approvers button.
An approver can be any user in the organization with an Azure AD account, and could be responsible for account provisioning, licensing, or any other business process your organization requires before granting access to an app. The approver could even be the group owner of one or more shared account groups, and can assign the users to one of these groups to give them access via a shared accounts.
If no approval is required, then users will instantly get the application added to their Azure AD access panel. This appropriate if the application has been set up for automatic user provisioning, or has been set up “user-managed” password SSO mode where the user already has a user account and knows the password.
**8. ** Click Save at the bottom of the screen to save the configuration. Now users will be able to request access to this app from the access panel.
**9. ** To try the end user experience, sign into you organization’s Azure AD access panel at https://myapps.microsoft.com, preferably using a different account that isn’t an app approver.
**10. ** Under the Applications tab, click the Get more applications tile. This displays a gallery of all of the applications that have been enabled for self-service application access in the directory, with the ability to search and filter by app category on the left.
**11. ** Clicking on an app kicks off the request process. If no approval process is required, then the application will be immediately added under the Applications tab after a short confirmation. If approval is required, then you will see a dialog indicating this, and an email will be send to the approvers. (Quick note: You need to be signed into the access panel as a non-approver to see this request process).
**12. ** The email directs the approver to sign into the Azure AD access panel, and approve the request under the Approvals tab. Once the request is approved (and any special processes you define have been performed by the approver), the user will then see the application appear under their Applications tab where they can sign into it.