Sharing accounts with Azure AD

Overview

Sometimes organizations need to use a single username and password for multiple people, which typically happens in two cases:

  • When accessing applications that require a unique sign in and password for each user, whether on-premises apps or consumer cloud services (for example, corporate social media accounts).
  • When creating multi-user environments. You might have a single, local account that has elevated privileges and is used to do core setup, administration, and recovery activities. For example, the local "global administrator" account for Office 365 or the root account in Salesforce.

Traditionally, these accounts are shared by distributing the credentials (username and password) to the right individuals or storing them in a shared location where multiple trusted agents can access them.

The traditional sharing model has several drawbacks:

  • Enabling access to new applications requires you to distribute credentials to everyone that needs access.
  • Each shared application may require its own unique set of shared credentials, requiring users to remember multiple sets of credentials. When users have to remember many credentials, the risk increases that they resort to risky practices. (for example, writing down passwords).
  • You can't tell who has access to an application.
  • You can't tell who has accessed an application.
  • When you want to remove access to an application, you have to update the credentials and redistribute them to everyone that needs access to that application.

Azure Active Directory account sharing

Azure AD provides a new approach to using shared accounts that eliminates these drawbacks.

The Azure AD administrator configures which applications a user can access by using the Access Panel and choosing the type of single sign-on best suited for that application. One of those types, password-based single-sign on, lets Azure AD act as a kind of "broker" during the sign-on process for that app.

Users log in once with their organizational account. This account is the same one they regularly use to access their desktop or email. They can discover and access only those applications that they are assigned to. With shared accounts, this list of applications can include any number of shared credentials. The end-user doesn't need to remember or write down the various accounts they might be using.

Shared accounts not only increase oversight and improve usability, they also enhance your security. Users with permissions to use the credentials don't see the shared password, but rather get permissions to use the password as part of an orchestrated authentication flow. Further, some password SSO applications give you the option of using Azure AD to periodically rollover (update) passwords. The system uses large, complex passwords, which increases account security. The administrator can easily grant or revoke access to an application, knows who has access to the account, and who has accessed it in the past.

Azure AD supports shared accounts for any Enterprise Mobility Suite (EMS), Premium, or Basic licensed users, across all types of password single sign-on applications. You can share accounts for any of thousands of pre-integrated applications in the application gallery and can add your own password-authenticating application with custom SSO apps.

Azure AD features that enable account sharing include:

Sharing an account

To use Azure AD to share an account, you need to:

You can also make your shared account more secure with Multi-Factor Authentication (MFA) (learn more about securing applications with Azure AD) and you can delegate the ability to manage who has access to the application using Azure AD Self-service Group Management.