Article Index for Application Management in Azure Active Directory
This page provides a comprehensive list of every document written about the various application-related features in Azure Active Directory (Azure AD).
There is a brief introduction to each major feature area, as well as guidance on which articles to read depending on what information you're looking for.
The articles below are good starting points for those who simply want a brief explanation of Azure AD application management features.
|An introduction to the application management problems that Azure AD solves||Managing Applications with Azure Active Directory (AD)|
|An overview of the various features in Azure AD related to enabling single sign-on, defining who has access to apps, and how users launch apps||Application Access and Single Sign-on in Azure Active Directory|
|A look at the different steps involved when integrating apps into your Azure AD||Integrating Azure Active Directory with Applications
Enabling Single Sign-On to SaaS Apps
Managing Access to Apps
|A technical explanation of how apps are represented in Azure AD||How and Why Applications are Added to Azure AD|
This section provides quick access to relevant troubleshooting guides. More information about each feature area can be found on the rest of this page.
|Federated Single Sign-On||Troubleshooting SAML-Based Single Sign-On|
|Password-Based Single Sign-On||Troubleshooting the Access Panel Extension for Internet Explorer|
|Application Proxy||App Proxy Troubleshooting Guide|
|Single sign-on between on-prem AD and Azure AD||Troubleshooting Password Hash Synchronization
Troubleshooting Password Writeback
|Dynamic Group Memberships||Troubleshooting Dynamic Group Memberships|
Single Sign-On (SSO)
Federated Single Sign-On: Sign into many apps using one identity
Single sign-on allows users to access a variety of apps and services using only one set of credentials. Federation is one method through which you can enable single sign-on. When users attempt to sign into federated apps, they will get redirected to their organization's official sign-in page rendered by Azure Active Directory, and are then redirected back to the app upon successful authentication.
Federated single sign-on is available for all editions of Azure AD for up to ten apps per user. Azure AD Premium supports unlimited applications. If your organization has Azure AD Basic or Azure AD Premium, then you can use groups to assign access to federated applications.
Password-Based Single Sign-On: Account sharing and SSO for non-federated apps
To enable single sign-on to applications that don't support federation, Azure AD offers password management features that can securely store passwords to SaaS apps and automatically sign users into those apps. You can easily distribute credentials for newly created accounts and share team accounts with multiple people. Users don't necessarily need to know the credentials to the accounts that they're given access to.
|An introduction to how password-based SSO works and a brief technical overview||Password-Based Single Sign-On with Azure AD|
|A summary of the scenarios related to account sharing and how these problems are solved by Azure AD||Sharing accounts with Azure AD|
|Automatically change the password for certain apps at a regular interval||Automated Password Rollover (preview)|
|Deployment and troubleshooting guides for the Internet Explorer version of the Azure AD password management extension||How to Deploy the Access Panel Extension for Internet Explorer using Group Policy
Troubleshooting the Access Panel Extension for Internet Explorer
Password-based single sign-on is available for all editions of Azure AD for up to ten apps per user. Azure AD Premium supports unlimited applications. If your organization has Azure AD Basic or Azure AD Premium, then you can use groups to assign access to applications. Automated password rollover is an Azure AD Premium feature.
App Proxy: Single sign-on and remote access to on-premises applications
If you have applications in your private network that need to be accessed by users and devices outside the network, then you can use Azure AD Application Proxy to enable secure, remote access to those apps.
|Overview of Azure AD Application Proxy and how it works||Providing secure remote access to on-premises applications|
|Tutorials on how to configure Application Proxy and how to publish your first app||How to Set Up Azure AD App Proxy
How to Silently Install the App Proxy Connector
How to Publish Applications using App Proxy
How to Use your own Domain Name
|How to enable single sign-on and conditional access for apps published with App Proxy||Single-sign-on with Application Proxy
Conditional Access and Application Proxy
|Guidance on how to use Application Proxy for the following scenarios||How to Support Native Client Applications
How to Support Claims-Aware Applications
How to Support Applications Published on Separate Networks and Locations
|Troubleshooting guide for Application Proxy||App Proxy Troubleshooting Guide|
Application Proxy is available for all editions of Azure AD for up to ten apps per user. Azure AD Premium supports unlimited applications. If your organization has Azure AD Basic or Azure AD Premium, then you can use groups to assign access to applications.
You may also be interested in Azure AD Domain Services, which allows you to migrate your on-premises applications to Azure while still satisfying the identity needs of those applications.
Enabling single sign-on between Azure AD and on-premises AD
If your organization maintains a Windows Server Active Directory on premises along with your Azure Active Directory in the cloud, then you will likely want to enable single sign-on between these two systems. Azure AD Connect (the tool that integrates these two systems together) provides multiple options for setting up single sign-on: establish federation with ADFS or another federation provider, or enable password synchronization.
|An overview on the single sign-on options offered in Azure AD Connect, as well as information on managing hybrid environments||User Sign On Options in Azure AD Connect|
|General guidance for managing environments with both on-premises Active Directory and Azure Active Directory||Azure AD Hybrid Identity Design Considerations
Integrating your On-Premises Identities with Azure Active Directory
|Guidance on using Password Sync to enable SSO||Implement Password Synchronization with Azure AD Connect
Troubleshoot Password Synchronization
|Guidance on using Password Writeback to enable SSO||Getting Started with Password Management in Azure AD
Troubleshoot Password Writeback
|Guidance on using third party identity providers to enable SSO||List of Compatible Third-Party Identity Providers That Can Be Used to Enable Single Sign-On|
|How Windows 10 users can enjoy the benefits of single sign-on via Azure AD Join||Extending Cloud Capabilities to Windows 10 Devices through Azure Active Directory Join|
Azure AD Connect is available for all editions of Azure Active Directory. Azure AD Self-Service Password Reset is available for Azure AD Basic and Azure AD Premium. Password Writeback to on-prem AD is an Azure AD Premium feature.
Conditional Access: Enforce additional security requirements for high-risk apps
Once you set up single sign-on to your apps and resources, you can then further secure sensitive applications by enforcing specific security requirements on every sign-in to that app. For instance, you can use Azure AD to demand that all access to a particular app always require multi-factor authentication, regardless of whether or not that app innately supports that functionality. Another common example of conditional access is to require that users be connected to the organization's trusted network in order to access a particularly sensitive application.
|An introduction to the conditional access capabilities offered across Azure AD, Office365, and Intune||Managing Risk With Conditional Access|
|How to enable conditional access for the following types of resources||Conditional Access for SaaS Apps
Conditional Access for Office 365 services
Conditional Access for On-Premises Applications
Conditional Access for On-Premises Applications Published via Azure AD App Proxy
|How to register devices with Azure Active Directory in order to enable device-based conditional access policies||Overview of Azure Active Directory Device Registration
How to Enable Automatic Device Registration for Domain Joined Windows Devices
— Steps for Windows 8.1 devices
— Steps for Windows 7 devices
| How to use the Microsoft Authenticator app for two-step verification |Microsoft Authenticator |
Conditional Access is an Azure AD Premium feature.
Apps & Azure AD
Cloud App Discovery: Find which SaaS apps are being used in your organization
Cloud App Discovery helps IT departments learn which SaaS apps are being used throughout the organization. It can measure app usage and popularity so that IT can determine which apps will benefit the most from being brought under IT control and being integrated with Azure AD.
|A general overview of how it works||Finding unsanctioned cloud applications with Cloud App Discovery|
|A deeper dive into how it works, with answers to questions on privacy||Security and Privacy Considerations|
|Frequently Asked Questions||FAQ for Cloud App Discovery|
|Tutorials for deploying Cloud App Discovery||Group Policy Deployment Guide
System Center Deployment Guide
Installing on Proxy Servers with Custom Ports
|The change log for updates to the Cloud App Discovery agent||Change log|
Cloud App Discovery is an Azure AD Premium feature.
Automatically provision and deprovision user accounts in SaaS apps
Automate the creation, maintenance, and removal of user identities in SaaS applications such as Dropbox, Salesforce, ServiceNow, and more. Match and sync existing identities between Azure AD and your SaaS apps, and control access by automatically disabling accounts when users leave the organization.
|Learn about how it works and find answers to common questions||Automate User Provisioning & Deprovisioning to SaaS Apps|
|Configure how information is mapped between Azure AD and your SaaS app||Customizing Attribute Mappings
Writing Expressions for Attribute Mappings
|How to enable automated provisioning to any app that supports the SCIM protocol||Set up Automated User Provisioning to any SCIM-Enabled App|
|How to report on and troubleshoot user provisioning||Reporting on automatic user provisioning
Troubleshooting user provisioning
|Limit who gets provisioned to an application based on their attribute values||Scoping Filters|
Automated user provisioning is available for all editions of Azure AD for up to ten apps per user. Azure AD Premium supports unlimited applications. If your organization has Azure AD Basic or Azure AD Premium, then you can use groups to manage which users get provisioned.
Building applications that integrate with Azure AD
If your organization is developing or maintaining line-of-business (LoB) applications, or if you're an app developer with customers who use Azure Active Directory, the following tutorials will help you integrate your applications with Azure AD.
|Guidance for both IT professionals and application developers on integrating apps with Azure AD||The IT Pro's Guide for Developing Applications for Azure AD
The Developer's Guide for Azure Active Directory
|How to application vendors can add their apps to the Azure AD App Gallery||Listing your Application in the Azure Active Directory Application Gallery|
|How to manage access to developed applications using Azure Active Directory||How to Enable User Assignment for Developed Applications
Assigning Users to your App
Assigning Group to your App
If you're developing consumer-facing applications, you may be interested in using Azure Active Directory B2C so that you don't have to develop your own identity system to manage your users. Learn more.
Managing Access to Applications
Using groups and self-service to manage who has access to which apps
To help you manage who should have access to which resources, Azure Active Directory allows you to set assignments and permissions at scale using groups. IT may choose to enable self-service features so that users can simply request permission when they need it.
|An overview of Azure AD access management features||Introduction to Managing Access to Apps
How Access Management Works in Azure AD
How to Use Groups to Manage Access to SaaS Applications
|Enable self-service management of apps and groups||Self-Service Application Management
Self-Service Group Management
|Instructions for setting up your groups in Azure AD||How to Create Security Groups
How to Designate Owners for a Group
How to Use the "All Users" Group
|Use dynamic groups to automatically populate group membership using attribute-based membership rules||Dynamic Group Membership: Advanced Rules
Troubleshooting Dynamic Group Memberships
Group-based application access management is available for Azure AD Basic and Azure AD Premium. Self-service group management, self-service application management, and dynamic groups are Azure AD Premium features.
B2B Collaboration: Enable partner access to applications
If your business has partnered with other companies, it's likely that you need to manage partner access to your corporate applications. Azure Active Directory B2B Collaboration provides an easy and secure way to share your apps with partners.
|An overview of different Azure AD features that can help you manage external users such as partners, customers, etc.||Comparing Capabilities for Managing External Identities in Azure AD|
|An introduction to B2B Collaboration and how to get started||Simple, Secure, Cloud Partner Integration with Azure AD
Azure Active Directory B2B Collaboration
|A deeper dive into Azure AD B2B Collaboration and how to use it||B2B Collaboration: How it works
Current Limitations of Azure AD B2B Collaboration
Detailed walkthrough of using Azure AD B2B Collaboration
|Reference articles with technical details on how Azure AD B2B Collaboration works||CSV File Format for Adding Partner Users
User Attributes Affected by Azure AD B2B Collaboration
User Token Format for Partner Users
B2B Collaboration is currently available for all editions of Azure Active Directory.
Access Panel: A portal for accessing apps and self-service features
The Azure AD Access Panel is where end-users can launch their apps and access the self-service features that allow them to manage their apps and group memberships. In addition to the Access Panel, other options for accessing SSO-enabled apps are included in the list below.
|A comparison of the different options available for deploying single sign-on apps to users||Deploying Azure AD Integrated Applications to Users|
|An overview of the Access Panel and its mobile equivalent MyApps||Introduction to Access Panel and MyApps
|How to access Azure AD apps from the Office 365 website||Using the Office 365 App Launcher|
|How to access Azure AD apps from the Intune Managed Browser mobile app||Intune Managed Browser
|How to access Azure AD apps using deep links to initiate single sign-on||Getting Direct Sign-On Links to Your Apps|
Access Panel is available for all editions of Azure Active Directory.
Reports: Easily audit app access changes and monitor sign-ins to apps
Azure Active Directory provides several reports and alerts to help you monitor your organization's access to applications. You can receive alerts for anomalous sign-ins to your apps, and you can track when and why a users' access to an application has changed.
|An overview of the reporting features in Azure Active Directory||Getting Started with Azure AD Reporting|
|How to monitor the sign-ins and app-usage of your users||View Your Access and Usage Reports|
|Track changes made to who can access a particular application||Azure Active Directory Audit Report Events|
|Export the data of these reports to your preferred tools using the Reporting API||Getting Started with the Azure AD Reporting API|
To see which reports are included with different editions of Azure Active Directory, click here.