Five steps to integrate your apps with Azure Active Directory
Learn to integrate your applications with Azure Active Directory (Azure AD), which is a cloud-based identity and access management service. Organizations use Azure AD for secure authentication and authorization so customers, partners, and employees can access applications. With Azure AD, features such as Conditional Access, Azure AD Multi-Factor Authentication (MFA), single sign-on, and application provisioning make identity and access management easier to manage and more secure.
- What is Conditional Access?
- How it works: Azure AD Multi-Factor Authentication
- Azure AD seamless single sign-on
- What is app provisioning in Azure AD?
If your company has a Microsoft 365 subscription, you likely use Azure AD. However, you can use Azure AD for applications. If you centralize application management, identity management features, tools, and policies for your app portfolio. The benefit is a unified solution that improves security, reduces costs, increases productivity, and enables compliance. In addition, there's remote access to on-premises apps.
Azure AD for new applications
When your business acquires new applications, add them to the Azure AD tenant. Establish a company policy of adding new apps to Azure AD.
See, Quickstart: Add an enterprise application
Azure AD has a gallery of integrated applications to make it easy to get started. Add a gallery app to your Azure AD organization (see, previous link) and learn about integrating software as a service (SaaS) tutorials.
See, Tutorials for integrating SaaS applications with Azure AD
Use the following tutorials to learn to integrate common tools with Azure AD single sign-on (SSO).
- Tutorial: Azure AD SSO integration with ServiceNow
- Tutorial: Azure AD SSO integration with Workday
- Tutorial: Azure AD SSO integration with Salesforce
- Tutorial: Azure AD SSO integration with AWS Single-Account Access
- Tutorial: Azure AD SSO integration with Slack
Apps not in the gallery
You can integrate applications that don't appear in the gallery, including applications in your organization, or third-party application from vendors. Submit a request to publish your app in the gallery. To learn about integrating apps you develop in-house, see Integrate apps your developers build.
- Quickstart: View enterprise applications
- Submit a request to publish your application in Azure AD application gallery
Determine application usage and prioritize integration
Discover the applications employees use, and prioritize integrating the apps with Azure AD. Use the Microsoft Defender for Cloud Apps Cloud Discovery tools to discover and manage apps not managed by your IT team. Microsoft Defender for Endpoint (formerly known as Microsoft Defender Advanced Threat Protection) simplifies and extends the discovery process.
In addition, use the Active Directory Federation Services (AD FS) in the Azure portal to discover AD FS apps in your organization. Discover unique users that signed in to the apps, and see information about integration compatibility.
See, Review the application activity report
After you discover apps in your environment, prioritize the apps to migrate and integrate. Consider the following parameters:
- Apps used most frequently
- Riskiest apps
- Apps to be decommissioned, therefore not in migration
- Apps that stay on-premises
See, Resources for migrating applications to Azure AD
Integrate apps and identity providers
During discovery, there might be applications not tracked by the IT team, which can create vulnerabilities. Some applications use alternative identity solutions, including AD FS, or other identity providers (IdPs). We recommend you consolidate identity and access management. Benefits include:
- Reduce on-premises user set-up, authentication, and IdP licensing fees
- Lower administrative overhead with streamlined identity and access management process
- Enable single sign-on (SSO) access to applications in the My Apps portal
- Use Identity Protection and Conditional Access to increase data from app usage, and extend benefits to recently added apps
App owner awareness
To help manage app integration with Azure AD, use the following material for application owner awareness and interest. Modify the material with your branding.
You can download:
- Zip file, Editable Azure AD App Integration One-Pager
- Microsoft PowerPoint presentation, Azure AD application integration guidelines
Active Directory Federation Services
Evaluate use of AD FS for authentication with SaaS apps, line-of-business apps, also Microsoft 365 and Azure AD apps.
Improve the configuration illustrated in the previous diagram by moving application authentication to Azure AD. Enable sign-on for apps and ease application discovery with the My Apps portal.
See the following diagram of app authentication simplified by Azure AD.
After Azure AD is the central IdP, you might be able to discontinue ADFS.
You can migrate apps that use a different cloud-based IdP. Your organization might have multiple Identity Access Management (IAM) solutions. Migrating to one Azure AD infrastructure can reduce dependencies on IAM licenses and infrastructure costs. If you paid for Azure AD with Microsoft 365 licenses, likely you don't have to purchase another IAM solution.
Integrate on-premises applications
Traditionally, application security enabled access during a connection to a corporate network. However, organization grant access to apps for customers, partners, and/or employees, regardless of location. Application Proxy Service in Azure AD connects on-premises apps to Azure AD and doesn't require edge servers or more infrastructure.
See, Using Azure AD Application Proxy to publish on-premises apps for remote users
The following diagram illustrates Application Proxy Service processing a user request.
See, Tutorial: Add an on-premises application for remote access through Application Proxy in Azure AD
In addition, integrate application delivery controllers like F5 BIG-IP APM, or Zscaler Private Access, with Azure AD. Benefits are modern authentication and identity management, traffic management, and security features. We call this solution secure hybrid access.
See, Secure hybrid access: Protect legacy apps with Azure AD
For the following services, there are Azure AD integration tutorials.
- Tutorial: Azure AD SSO integration with Akamai
- Tutorial: Azure AD SSO integration with Citrix ADC SAML Connector for Azure AD (Kerberos-based authentication)
- Formerly known as Citrix Netscaler
- Integrate F5 BIG-IP with Azure AD
- Tutorial: Integrate Zscaler Private Access (ZPA) with Azure AD
Integrate apps your developers build
For your developers' apps, use the Microsoft identity platform for authentication and authorization. Integrated applications are registered and managed like other apps in your portfolio.
- Microsoft identity platform documentation
- Quickstart: Register an application with the Microsoft identity platform
Developers can use the platform for internal and customer-facing apps. For instance, use Microsoft Authentication Libraries (MSAL) to enable multi-factor authentication and security to access apps.
- Overview of the Microsoft Authentication Library (MSAL)
- Microsoft identity platform code samples
- Video: Overview of the Microsoft identity platform for developers (33:54)
Submit and view feedback for