Identify SAML-enabled apps in Azure AD

Question

I'm trying to build some governance around SSO-enabled applications in my environment. I have multiple apps which has SAML/OAuth/OIDC integration with Azure AD. Is there a way to get the data from Azure AD about "Which protocol this app is using for SSO?"

The end goal here to identify all SSO enabled apps with protocols used for future migration.

So far, I've tried to look into AzureAD and Az Powershell modules, but haven't found a way to clearly determine that from the cmdlets.

Answer 1

@Sergey S , You can use the following PS snippet:

$type = "SAML APP"  
Get-AzureADServicePrincipal -All $true | Where-Object {($_.Tags -contains "WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1") -or ($_.Tags -contains "WindowsAzureActiveDirectoryCustomSingleSignOnApplication")} | Select DisplayName, @{Name="AppType"; Expression={$type}}  

Every Application be it an OAuth app or SAML app (both gallery and non-gallery apps) would have two objects created in AAD when their registration happens. One is called the Application Object and the other is the Service Principal object. Now I used the Service Principal object to prepare this snippet. When you dump the properties of a Service Principal Object using PS, you would find that every application has a certain number of Tags associated with it like:

• OAuth apps would have a tag called "WindowsAzureActiveDirectoryIntegratedApp"
• Gallery SAML Apps would have a tag called "WindowsAzureActiveDirectoryGalleryApplicationPrimaryV1"
• Non-Gallery SAML Apps would have a tag called "WindowsAzureActiveDirectoryCustomSingleSignOnApplication"

Hence you can use the following Tags and find out what kind of app is it. Now the following Tag "WindowsAzureActiveDirectoryIntegratedApp" is common to all types of apps {categories as mentioned in the above list}, hence the snippet i shared above, by using that you can list all the SAML apps (both gallery and non-gallery) and rest of the apps would be your OAuth apps.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

Answer 2

@soumi-MSFT I'm gonna have to uncheck your answer as valid for now, here's why:
I've tried to create new empty application using Azure portal, did no configuration whatsoever, here's what I get when I query this app using PS:

3 tags has been applied to this app immediately - basically saying that it could be either SAML or OAuth
Am I missing something?

Answer 3

@Sergey S , That's correct, nothing wrong in the steps you performed. Now let me explain you. When you are creating an application using the Enterprise application by choosing the non-gallery app option, by that you only get to create either a SAML, Password-Based or Linked type of applications but not OAuth App using this.

Note: As mentioned earlier, the following Tag "WindowsAzureActiveDirectoryIntegratedApp" is common to all types of apps {categories as mentioned in the above list}, hence the snippet I shared above, by using that you can list all the SAML apps (both gallery and non-gallery) and rest of the apps would be your OAuth apps.

Further clarifying, for SAML Application we have two categories, Gallery Applications and Non-Gallery Applications, where in Gallery applications would only contain the tag "WindowsAzureActiveDirectoryGalleryApplicationPrimaryV1" and the non-gallery apps would contain both the following tags "WindowsAzureActiveDirectoryGalleryApplicationPrimaryV1 (since its also a SAML app)" and "WindowsAzureActiveDirectoryCustomSingleSignOnApplication(specific to Non-Gallery App)".

Based on this, I found that's the best way to segregate applications as OAuth and SAML apps. Now the condition you are specifying I believe should be for the tags for SAML apps only and remaining apps would be OAuth Apps.

Do let me know if this helps.

Answer 4

Using the listed tags doesn't get you consistent result. I've been trying to find a way to list all of the SSO type applications and Microsoft doesn't seem to have created a consistent process to tell what types of Apps are available. I tried using the tagged query's listed above and found it was missing a good percentage of our SSO apps. If i look at one of the missing applications it only has a tag of "WindowsAzureActiveDirectoryIntegratedApp", even though it is setup using SAML SSO. So based on that it seems you shouldn't rely on TAGs.
I tried looking for all of our SSOs by querying apps that have reply URLs (a requirement of any SSO app), but then I got way too many apps returned.

Get-AzureADApplication -All $true | where {$_.ReplyUrls -ne $null} | Select DisplayName, ReplyUrls | Sort DisplayName

It seems Microsoft is adding reply URLs like {https://VisualStudio/SPN} to apps and there are also other common reply URLs that don't have anything to do with SSO apps.

I personally don't think Microsoft thought this trough at all, we have ended up with thousands of apps under Enterprise applications and it seems impossible to categorizes what they are being used for. That is one of the problems of using the same type of object for everything and then never thinking about how to separate them out

Answer 5

Absolutely agree with this Wards comments. Im trying to do the same and the tags are so inconsistent. Some are apps from the same gallery app and configured the same. Like we have workday prod/Test/Dev and all are setup for SSO. Two have the right tags where as one is just showing WindowsAzureActiveDirectoryIntegratedApp