Article Index for Application Management in Azure Active Directory

This page provides a comprehensive list of every document written about the various application-related features in Azure Active Directory (Azure AD).

There is a brief introduction to each major feature area, as well as guidance on which articles to read depending on what information you're looking for.

Overview Articles

The articles below are good starting points for those who simply want a brief explanation of Azure AD application management features.

Article Guide
An introduction to the application management problems that Azure AD solves Managing Applications with Azure Active Directory (AD)
An overview of the various features in Azure AD related to enabling single sign-on, defining who has access to apps, and how users launch apps Application Access and Single Sign-on in Azure Active Directory
A look at the different steps involved when integrating apps into your Azure AD Integrating Azure Active Directory with Applications

Enabling Single Sign-On to SaaS Apps

Managing Access to Apps
A technical explanation of how apps are represented in Azure AD How and Why Applications are Added to Azure AD

Troubleshooting Articles

This section provides quick access to relevant troubleshooting guides. More information about each feature area can be found on the rest of this page.

Feature Area
Federated Single Sign-On Troubleshooting SAML-Based Single Sign-On
Password-Based Single Sign-On Troubleshooting the Access Panel Extension for Internet Explorer
Application Proxy App Proxy Troubleshooting Guide
Single sign-on between on-prem AD and Azure AD Troubleshooting Password Synchronization

Troubleshooting Password Writeback
Dynamic Group Memberships Troubleshooting Dynamic Group Memberships

Single Sign-On (SSO)

Federated Single Sign-On: Sign into many apps using one identity

Single sign-on allows users to access a variety of apps and services using only one set of credentials. Federation is one method through which you can enable single sign-on. When users attempt to sign into federated apps, they will get redirected to their organization's official sign-in page rendered by Azure Active Directory, and are then redirected back to the app upon successful authentication.

Article Guide
An introduction to federation and other types of sign-on Single Sign-On with Azure AD
Thousands of SaaS apps that are pre-integrated with Azure AD with simplified single sign-on configuration steps Getting started with the Azure AD application gallery

Full List of Pre-Integrated Apps that Support Federation

How to Add Your App to the Azure AD App Gallery
More than 150 app tutorials on how to configure single sign-on for apps such as Salesforce, ServiceNow, Google Apps, Workday, and many more List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
How to manually set up and customize your single sign-on configuration How to Configure Federated Single Sign-On to Apps that are not in the Azure Active Directory Application Gallery

How to Customize Claims Issued in the SAML Token for Pre-Integrated Apps
Troubleshooting guide for federated apps that use the SAML protocol Troubleshooting SAML-Based Single Sign-On
How to configure your app's certificate's expiration date, and how to renew your certificates Managing Certificates for Federated Single Sign-On in Azure Active Directory

Federated single sign-on is available for all editions of Azure AD for up to ten apps per user. Azure AD Premium supports unlimited applications. If your organization has Azure AD Basic or Azure AD Premium, then you can use groups to assign access to federated applications.

Password-Based Single Sign-On: Account sharing and SSO for non-federated apps

To enable single sign-on to applications that don't support federation, Azure AD offers password management features that can securely store passwords to SaaS apps and automatically sign users into those apps. You can easily distribute credentials for newly created accounts and share team accounts with multiple people. Users don't necessarily need to know the credentials to the accounts that they're given access to.

Article Guide
An introduction to how password-based SSO works and a brief technical overview Password-Based Single Sign-On with Azure AD
A summary of the scenarios related to account sharing and how these problems are solved by Azure AD Sharing accounts with Azure AD
Automatically change the password for certain apps at a regular interval Automated Password Rollover (preview)
Deployment and troubleshooting guides for the Internet Explorer version of the Azure AD password management extension How to Deploy the Access Panel Extension for Internet Explorer using Group Policy

Troubleshooting the Access Panel Extension for Internet Explorer

Password-based single sign-on is available for all editions of Azure AD for up to ten apps per user. Azure AD Premium supports unlimited applications. If your organization has Azure AD Basic or Azure AD Premium, then you can use groups to assign access to applications. Automated password rollover is an Azure AD Premium feature.

App Proxy: Single sign-on and remote access to on-premises applications

If you have applications in your private network that need to be accessed by users and devices outside the network, then you can use Azure AD Application Proxy to enable secure, remote access to those apps.

Article Guide
Overview of Azure AD Application Proxy and how it works Providing secure remote access to on-premises applications
Tutorials on how to configure Application Proxy and how to publish your first app How to Set Up Azure AD App Proxy

How to Silently Install the App Proxy Connector

How to Publish Applications using App Proxy

How to Use your own Domain Name
How to enable single sign-on and conditional access for apps published with App Proxy Single-sign-on with Application Proxy

Conditional Access and Application Proxy
Guidance on how to use Application Proxy for the following scenarios How to Support Native Client Applications

How to Support Claims-Aware Applications

How to Support Applications Published on Separate Networks and Locations
Troubleshooting guide for Application Proxy App Proxy Troubleshooting Guide

Application Proxy is available for all editions of Azure AD for up to ten apps per user. Azure AD Premium supports unlimited applications. If your organization has Azure AD Basic or Azure AD Premium, then you can use groups to assign access to applications.

You may also be interested in Azure AD Domain Services, which allows you to migrate your on-premises applications to Azure while still satisfying the identity needs of those applications.

Enabling single sign-on between Azure AD and on-premises AD

If your organization maintains a Windows Server Active Directory on premises along with your Azure Active Directory in the cloud, then you will likely want to enable single sign-on between these two systems. Azure AD Connect (the tool that integrates these two systems together) provides multiple options for setting up single sign-on: establish federation with ADFS or another federation provider, or enable password synchronization.

Article Guide
An overview on the single sign-on options offered in Azure AD Connect, as well as information on managing hybrid environments User Sign On Options in Azure AD Connect
General guidance for managing environments with both on-premises Active Directory and Azure Active Directory Azure AD Hybrid Identity Design Considerations

Integrating your On-Premises Identities with Azure Active Directory
Guidance on using Password Sync to enable SSO Implement Password Synchronization with Azure AD Connect

Troubleshoot Password Synchronization
Guidance on using Password Writeback to enable SSO Getting Started with Password Management in Azure AD

Troubleshoot Password Writeback
Guidance on using third party identity providers to enable SSO List of Compatible Third-Party Identity Providers That Can Be Used to Enable Single Sign-On
How Windows 10 users can enjoy the benefits of single sign-on via Azure AD Join Extending Cloud Capabilities to Windows 10 Devices through Azure Active Directory Join

Azure AD Connect is available for all editions of Azure Active Directory. Azure AD Self-Service Password Reset is available for Azure AD Basic and Azure AD Premium. Password Writeback to on-prem AD is an Azure AD Premium feature.

Conditional Access: Enforce additional security requirements for high-risk apps

Once you set up single sign-on to your apps and resources, you can then further secure sensitive applications by enforcing specific security requirements on every sign-in to that app. For instance, you can use Azure AD to demand that all access to a particular app always require multi-factor authentication, regardless of whether or not that app innately supports that functionality. Another common example of conditional access is to require that users be connected to the organization's trusted network in order to access a particularly sensitive application.

Article Guide
An introduction to the conditional access capabilities offered across Azure AD, Office365, and Intune Managing Risk With Conditional Access
How to enable conditional access for the following types of resources Conditional Access for SaaS Apps

Conditional Access for Office 365 services

Conditional Access for On-Premises Applications

Conditional Access for On-Premises Applications Published via Azure AD App Proxy

| How to register devices with Azure Active Directory in order to enable device-based conditional access policies |Overview of Azure Active Directory Device Registration

How to Enable Automatic Device Registration for Domain Joined Windows Devices
Steps for Windows 8.1 devices
Steps for Windows 7 devices |

| How to use the Microsoft Authenticator app for two-step verification |Microsoft Authenticator |

Conditional Access is an Azure AD Premium feature.

Apps & Azure AD

Cloud App Discovery: Find which SaaS apps are being used in your organization

Cloud App Discovery helps IT departments learn which SaaS apps are being used throughout the organization. It can measure app usage and popularity so that IT can determine which apps will benefit the most from being brought under IT control and being integrated with Azure AD.

Article Guide
A general overview of how it works Finding unsanctioned cloud applications with Cloud App Discovery
A deeper dive into how it works, with answers to questions on privacy Security and Privacy Considerations
Frequently Asked Questions FAQ for Cloud App Discovery
Tutorials for deploying Cloud App Discovery Group Policy Deployment Guide

System Center Deployment Guide

Installing on Proxy Servers with Custom Ports
The change log for updates to the Cloud App Discovery agent Change log

Cloud App Discovery is an Azure AD Premium feature.

Automatically provision and deprovision user accounts in SaaS apps

Automate the creation, maintenance, and removal of user identities in SaaS applications such as Dropbox, Salesforce, ServiceNow, and more. Match and sync existing identities between Azure AD and your SaaS apps, and control access by automatically disabling accounts when users leave the organization.

Article Guide
Learn about how it works and find answers to common questions Automate User Provisioning & Deprovisioning to SaaS Apps
Configure how information is mapped between Azure AD and your SaaS app Customizing Attribute Mappings

Writing Expressions for Attribute Mappings
How to enable automated provisioning to any app that supports the SCIM protocol Set up Automated User Provisioning to any SCIM-Enabled App
How to report on and troubleshoot user provisioning Reporting on automatic user provisioning

Provisioning notifications

Troubleshooting user provisioning
Limit who gets provisioned to an application based on their attribute values Scoping Filters

Automated user provisioning is available for all editions of Azure AD for up to ten apps per user. Azure AD Premium supports unlimited applications. If your organization has Azure AD Basic or Azure AD Premium, then you can use groups to manage which users get provisioned.

Building applications that integrate with Azure AD

If your organization is developing or maintaining line-of-business (LoB) applications, or if you're an app developer with customers who use Azure Active Directory, the following tutorials will help you integrate your applications with Azure AD.

Article Guide
Guidance for both IT professionals and application developers on integrating apps with Azure AD The IT Pro's Guide for Developing Applications for Azure AD

The Developer's Guide for Azure Active Directory
How to application vendors can add their apps to the Azure AD App Gallery Listing your Application in the Azure Active Directory Application Gallery
How to manage access to developed applications using Azure Active Directory How to Enable User Assignment for Developed Applications

Assigning Users to your App

Assigning Group to your App

If you're developing consumer-facing applications, you may be interested in using Azure Active Directory B2C so that you don't have to develop your own identity system to manage your users. Learn more.

Managing Access to Applications

Using groups and self-service to manage who has access to which apps

To help you manage who should have access to which resources, Azure Active Directory allows you to set assignments and permissions at scale using groups. IT may choose to enable self-service features so that users can simply request permission when they need it.

Article Guide
An overview of Azure AD access management features Introduction to Managing Access to Apps

How Access Management Works in Azure AD

How to Use Groups to Manage Access to SaaS Applications
Enable self-service management of apps and groups Self-Service Application Management

Self-Service Group Management
Instructions for setting up your groups in Azure AD How to Create Security Groups

How to Designate Owners for a Group

How to Use the "All Users" Group
Use dynamic groups to automatically populate group membership using attribute-based membership rules Dynamic Group Membership: Advanced Rules

Troubleshooting Dynamic Group Memberships

Group-based application access management is available for Azure AD Basic and Azure AD Premium. Self-service group management, self-service application management, and dynamic groups are Azure AD Premium features.

B2B Collaboration: Enable partner access to applications

If your business has partnered with other companies, it's likely that you need to manage partner access to your corporate applications. Azure Active Directory B2B Collaboration provides an easy and secure way to share your apps with partners.

Article Guide
An overview of different Azure AD features that can help you manage external users such as partners, customers, etc. Comparing Capabilities for Managing External Identities in Azure AD
An introduction to B2B Collaboration and how to get started Simple, Secure, Cloud Partner Integration with Azure AD

Azure Active Directory B2B Collaboration
A deeper dive into Azure AD B2B Collaboration and how to use it B2B Collaboration: How it works

Current Limitations of Azure AD B2B Collaboration

Detailed walkthrough of using Azure AD B2B Collaboration
Reference articles with technical details on how Azure AD B2B Collaboration works CSV File Format for Adding Partner Users

User Attributes Affected by Azure AD B2B Collaboration

User Token Format for Partner Users

B2B Collaboration is currently available for all editions of Azure Active Directory.

Access Panel: A portal for accessing apps and self-service features

The Azure AD Access Panel is where end-users can launch their apps and access the self-service features that allow them to manage their apps and group memberships. In addition to the Access Panel, other options for accessing SSO-enabled apps are included in the list below.

Article Guide
A comparison of the different options available for deploying single sign-on apps to users Deploying Azure AD Integrated Applications to Users
An overview of the Access Panel and its mobile equivalent MyApps Introduction to Access Panel and MyApps
iOS
Android
How to access Azure AD apps from the Office 365 website Using the Office 365 App Launcher
How to access Azure AD apps from the Intune Managed Browser mobile app Intune Managed Browser
iOS
Android
How to access Azure AD apps using deep links to initiate single sign-on Getting Direct Sign-On Links to Your Apps

Access Panel is available for all editions of Azure Active Directory.

Reports: Easily audit app access changes and monitor sign-ins to apps

Azure Active Directory provides several reports and alerts to help you monitor your organization's access to applications. You can receive alerts for anomalous sign-ins to your apps, and you can track when and why a users' access to an application has changed.

Article Guide
An overview of the reporting features in Azure Active Directory Getting Started with Azure AD Reporting
How to monitor the sign-ins and app-usage of your users View Your Access and Usage Reports
Track changes made to who can access a particular application Azure Active Directory Audit Report Events
Export the data of these reports to your preferred tools using the Reporting API Getting Started with the Azure AD Reporting API

To see which reports are included with different editions of Azure Active Directory, click here.

See also

What is Azure Active Directory?

Azure Active Directory B2C

Azure Active Directory Domain Services

Azure Multi-Factor Authentication