Application Conditional access without adding my application to the galley app

lior zivi 1

I created my own multi tenant application in Azure Active Directory.
I also create a web application where users from different tenants can sign in to my web application. (the web application sign in flow is using the applicationId of the application I created in Azure Active Directory).

One of the requests from one of my clients was to configure a conditional access that his users will only be able to sign in to my application from a specific range of ips.

However, since my application is not registered in the application gallery, is it possible for him to set a specific conditional access rule for his tenant targeting my application?

It works if the conditional access rule is set to "all cloud apps" but I want him to have a rule only specifically to my app

1 answer

AmanpreetSingh-MSFT 56,311 Reputation points

2020-10-12T16:47:23.043+00:00

Hello @lior zivi · Welcome to QnA platform and thanks for your query.

Any Azure AD Registered application can be added to Conditional access, it is not required to be gallery application. You should be able to search the application by using application name or application id, under cloud applications blade of conditional access policy.

However, if you are unable to search the application in CA Policy, make sure WindowsAzureActiveDirectoryIntegratedApp tag is added to the application. You can use below PowerShell Cmdlet to add this tag:

Set-AzureADServicePrincipal -AccountEnabled $true -AppId your_app_id -AppRoleAssignmentRequired $true -DisplayName your_app_name -Tags {WindowsAzureActiveDirectoryIntegratedApp}

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
lior zivi 1 Reputation point

2020-10-14T10:09:13.193+00:00

I tried searching for my application id but could not find it:

This is the search:
This is the AppRegistration:

lior zivi 1 Reputation point

2020-10-14T10:10:45.973+00:00

@AmanpreetSingh-MSFT Can the WindowsAzureActiveDirectoryIntegratedApp tag be added from portal?

AmanpreetSingh-MSFT 56,311 Reputation points

2020-10-14T13:56:53.137+00:00

liorzivi-3197 · I don't see any option in portal to set the tag on service principal. For newer apps there is no need to set this tag. This is required for older apps only.

lior zivi 1 Reputation point

2020-10-19T09:22:39.247+00:00

@AmanpreetSingh-MSFT , I just created a new app registration on a different tenant than teh tenant where I would like to set the conditional access:

However when trying to configure the conditional access and find the new app registration I created, I still can't find it, I am placing the appId guid value in the search box in the Select apps but my app registration is not found.

Am I doing something wrong?

Thanks !

AmanpreetSingh-MSFT 56,311 Reputation points

2020-10-19T13:07:22.387+00:00

Hi @lior zivi · Conditional Access policy created in one tenant can only be applied to applications in that particular tenant and NOT to the applications in other tenants. For your scenario, you may consider using Multi-tenant application. When a multi-tenant application is accessed by users in other tenants, they get a consent prompt, at the acceptance of which a service principal corresponding to that application gets created in their tenant. That way you can search for the service principal using the application id in your tenant for applying Conditional Access policy.

lior zivi 1 Reputation point

2020-10-19T16:53:49.717+00:00

Thanks @AmanpreetSingh-MSFT .
So I already created in Tenant-1 a web application corresponding to a multi tenant app registration as you can see from the previous print screens with
Supported account types: multiple organizations.

Then I signed in to that application from a user belonging to Tenant-2.

Now I am trying to set up conditional access to Tenant-2 users from within their Active Directory for conditional access to allow conditional ip based sign in to my multi tenant web application (of Tenant-1).

Following your comment, I should have seen a service principal in Tenant-2 corresponding to that Tenant-1 web application and should have been able to set a conditional access using this service principal.

However, I did not see any Service principal created, where should I see it?
Also, when creating a new Conditional access rule and trying to find the Tenant-1 AppRegistration application id I wasn't able to find it not in users and not in selected apps.

What am I missing?

AmanpreetSingh-MSFT 56,311 Reputation points

2020-10-21T04:51:54.697+00:00

@lior zivi · You should be able to see it under Enterprise Applications, if you search with Display Name or App ID. If it is present in tenant2, you need to run below command in tenant2 as this is a command which needs to be run for service principal.

Set-AzureADServicePrincipal -AccountEnabled $true -AppId your_app_id -AppRoleAssignmentRequired $true -DisplayName your_app_name -Tags {WindowsAzureActiveDirectoryIntegratedApp}

If you do not see a service principal in tenant 2 corresponding to the app1 in tenant1, the issue is with your multi-tenant app. Try creating a new app and test with the new app. Refer to https://learn.microsoft.com/en-us/azure/active-directory/develop/setup-multi-tenant-app for more details.

Patra, Kiran, Vodafone Group 0 Reputation points

2023-10-09T11:20:44.78+00:00

Hello @AmanpreetSingh-MSFT , if an application registered only as mobile application for both the android & iOS then the app id or name is not picked or selected while adding into the CA policy.
Sign in to comment