This topic is intended to give you a roadmap for integrating applications with Azure Active Directory (AD). Each of the sections below contain a brief summary of a more detailed topic so you can identify which parts of this getting started guide are relevant to you. Follow the links for a deeper dive on each subject.
Before you begin, take inventory
Before you jump in to integrating applications with Azure AD, it is important to know where you are and where you want to go. The following questions are intended to help you think about your Azure AD application integration project.
- Where are all of your applications? Who owns them?
- What kind of authentication do your applications require?
- Who needs access to which applications?
- Do you want to deploy a new application?
- Will you build it in-house and deploy it on an Azure compute instance?
- Will you use one that is available in the Azure Application Gallery?
User and group inventory
- Where do your user accounts reside?
- On-premises Active Directory
- Azure AD
- Within a separate application database that you own
- In unsanctioned applications
- All of the above
- What permissions and role assignments do individual users currently have? Do you need to review their access or are you sure that your user access and role assignments are appropriate now?
- Are groups already established in your on-premises Active Directory?
- How are your groups organized?
- Who are the group members?
- What permissions/role assignments do the groups currently have?
- Will you need to clean up user/group databases before integrating? (This is a pretty important question. Garbage in, garbage out.)
Access management inventory
- How do you currently manage user access to applications? Does that need to change? Have you considered other ways to manage access, such as with RBAC for example?
- Who needs access to what?
Maybe you don't have the answers to all of these questions up front but that's okay. This guide can help you answer some of those questions and make some informed decisions.
- An Azure subscription and an Azure Active Directory directory. If you don't already have an Azure subscription, you can try out Azure for free for 30 days. Try it out!
Application integration with Azure AD
Finding unsanctioned cloud applications with Cloud App Discovery
As mentioned above, there may be applications that haven't been managed by your organization until now. As part of the inventory process, it is possible to find unsanctioned cloud applications. See Finding unsanctioned cloud applications with Cloud App Discovery.
Each of your applications may have different authentication requirements. With Azure AD, signing certificates can be used with applications that use SAML 2.0, WS-Federation, or OpenID Connect Protocols as well as Password Single Sign On. For more information about application authentication types for use with Azure AD see Managing Certificates for Federated Single Sign-On in Azure Active Directory and Password based single sign on.
Enabling SSO with Azure AD App Proxy
With Microsoft Azure AD Application Proxy, you can provide access to applications located inside your private network securely, from anywhere and on any device. After you have installed an application proxy connector within your environment, it can be easily configured with Azure AD.
Integrating applications with Azure AD
The following articles discuss the different ways applications integrate with Azure AD, and provide some guidance.
- Determining which Active Directory to use
- Using applications in the Azure application gallery
- Integrating SaaS applications tutorials list
Managing access to applications
The following articles describe ways you can manage access to applications once they have been integrated with Azure AD using Azure AD Connectors and Azure AD.
- Managing access to apps using Azure AD
- Automating with Azure AD Connectors
- Assigning users to an application
- Assigning groups to an application
- Sharing accounts
Integrating custom applications
If you are writing a new application and want to assist developers in leveraging the power Azure AD, see Guiding developers.
If you want to add your custom application to the Azure Application Gallery, see “Bring your own app” with Azure AD Self-Service SAML configuration.