Integrating Microsoft Entra ID with applications getting started guide
This topic summarizes the process for integrating applications with Microsoft Entra ID. Each of the sections below contain a brief summary of a more detailed topic so you can identify which parts of this getting started guide are relevant to you.
To download in-depth deployment plans, see Next steps.
Take inventory
Before integrating applications with Microsoft Entra ID, it is important to know where you are and where you want to go. The following questions are intended to help you think about your Microsoft Entra application integration project.
Application inventory
- Where are all of your applications? Who owns them?
- What kind of authentication do your applications require?
- Who needs access to which applications?
- Do you want to deploy a new application?
- Will you build it in-house and deploy it on an Azure compute instance?
- Will you use one that is available in the Azure Application Gallery?
User and group inventory
- Where do your user accounts reside?
- On-premises Active Directory
- Microsoft Entra ID
- Within a separate application database that you own
- In unsanctioned applications
- All of the above
- What permissions and role assignments do individual users currently have? Do you need to review their access or are you sure that your user access and role assignments are appropriate now?
- Are groups already established in your on-premises Active Directory?
- How are your groups organized?
- Who are the group members?
- What permissions/role assignments do the groups currently have?
- Will you need to clean up user/group databases before integrating? (This is an important question. Garbage in, garbage out.)
Access management inventory
- How do you currently manage user access to applications? Does that need to change? Have you considered other ways to manage access, such as with Azure RBAC for example?
- Who needs access to what?
Maybe you don't have the answers to all of these questions up front but that's okay. This guide can help you answer some of those questions and make some informed decisions.
Find unsanctioned cloud applications with Cloud Discovery
As mentioned above, there may be applications that haven't been managed by your organization until now. As part of the inventory process, it is possible to find unsanctioned cloud applications. See Set up Cloud Discovery.
Integrating applications with Microsoft Entra ID
The following articles discuss the different ways applications integrate with Microsoft Entra ID, and provide some guidance.
- Determining which Active Directory to use
- Using applications in the Azure application gallery
- Integrating SaaS applications tutorials list
Capabilities for apps not listed in the Microsoft Entra gallery
You can add any application that already exists in your organization, or any third-party application from a vendor who is not already part of the Microsoft Entra gallery. Depending on your license agreement, the following capabilities are available:
- Self-service integration of any application that supports Security Assertion Markup Language (SAML) 2.0 identity providers (SP-initiated or IdP-initiated)
- Self-service integration of any web application that has an HTML-based sign-in page using password-based SSO
- Self-service connection of applications that use the System for Cross-Domain Identity Management (SCIM) protocol for user provisioning
- Ability to add links to any application in the Office 365 app launcher or My Apps
If you're looking for developer guidance on how to integrate custom apps with Microsoft Entra ID, see Authentication Scenarios for Microsoft Entra ID. When you develop an app that uses a modern protocol like OpenId Connect/OAuth to authenticate users, you can register it with the Microsoft identity platform by using the App registrations experience in the Azure portal.
Authentication Types
Each of your applications may have different authentication requirements. With Microsoft Entra ID, signing certificates can be used with applications that use SAML 2.0, WS-Federation, or OpenID Connect Protocols and Password Single Sign On. For more information about application authentication types, see Managing Certificates for Federated Single Sign-On in Microsoft Entra ID and Password based single sign on.
Enabling SSO with Microsoft Entra application proxy
With Microsoft Entra application proxy, you can provide access to applications located inside your private network securely, from anywhere and on any device. After you have installed a private network connector within your environment, it can be easily configured with Microsoft Entra ID.
Integrating custom applications
If you want to add your custom application to the Azure Application Gallery, see Publish your app to the Microsoft Entra app gallery.
Managing access to applications
The following articles describe ways you can manage access to applications once they have been integrated with Microsoft Entra ID using Microsoft Entra Connectors and Microsoft Entra ID.
- Managing access to apps using Microsoft Entra ID
- Automating with Microsoft Entra Connectors
- Assigning users to an application
- Assigning groups to an application
- Sharing accounts
Next steps
For in-depth information, you can download Microsoft Entra deployment plans from GitHub. For gallery applications, you can download deployment plans for single sign-on, Conditional Access, and user provisioning through the Microsoft Entra admin center.
To download a deployment plan from the Microsoft Entra admin center:
- Sign in to the Microsoft Entra admin center.
- Select Enterprise Applications | Pick an App | Deployment Plan.