This article contains recommendations and best practices for managing applications in Azure Active Directory (Azure AD), using automatic provisioning, and publishing on-premises apps with Application Proxy.
Cloud app and single sign-on recommendations
Check the Azure AD application gallery for apps
Azure AD has a gallery that contains thousands of pre-integrated applications that are enabled with Enterprise single sign-on (SSO). For app-specific setup guidance, see the List of SaaS app tutorials.
Use federated SAML-based SSO
When an application supports it, use Federated, SAML-based SSO with Azure AD instead of password-based SSO and ADFS.
By default, users can access to your enterprise applications without being assigned to them. However, if the application exposes roles, or if you want the application to appear on a user’s My Apps, require user assignment.
Deploy My Apps to your users
My Apps at https://myapps.microsoft.com is a web-based portal that provides users with a single point of entry for their assigned cloud-based applications. As additional capabilities like group management and self-service password reset are added, users can find them in My Apps. See Plan My Apps deployment.
Use group assignment
If included in your subscription, assign groups to an application so you can delegate ongoing access management to the group owner.
Establish a process for managing certificates
The maximum lifetime of a signing certificate is three years. To prevent or minimize outage due to a certificate expiring, use roles and email distribution lists to ensure that certificate-related change notifications are closely monitored.
Use tutorials to set up provisioning with cloud apps
The provisioning logs give details about all actions performed by the provisioning service, including status for individual users.
Assign a distribution group to the provisioning notification email
To increase the visibility of critical alerts sent by the provisioning service, assign a distribution group to the Notification Emails setting.
Application Proxy recommendations
Use Application Proxy for remote access to internal resources
Application Proxy is recommended for giving remote users access to internal resources, replacing the need for a VPN or reverse proxy. It is not intended for accessing resources from within the corporate network because it could add latency.
Use custom domains
Set up custom domains for your applications (see Configure custom domains) so that URLs for users and between applications will work from either inside or outside of your network. You'll also be able to control your branding and customize your URLs. When using custom domain names, plan to acquire a public certificate from a non-Microsoft trusted certificate authority. Azure Application Proxy supports standard, (wildcard), or SAN-based certificates. (See Application Proxy planning.)
Synchronize users before deploying Application Proxy
Before deploying application proxy, synchronize user identities from an on-premises directory or create them directly in Azure AD. Identity synchronization allows Azure AD to pre-authenticate users before granting them access to App Proxy published applications. It also provides the necessary user identifier information to perform single sign-on (SSO). (See Application Proxy planning.)
Follow our tips for high availability and load balancing
Use two or more Application Proxy connectors for greater resiliency, availability, and scale (see Application Proxy connectors). Create connector groups and ensure each connector group has at least two connectors (three connectors is optimal).
Locate connector servers close to application servers, and make sure they're in the same domain
To optimize performance, physically locate the connector server close to the application servers (see Network topology considerations). Also, the connector server and web applications servers should belong to the same Active Directory domain, or they should span trusting domains. This configuration is required for SSO with Integrated Windows Authentication (IWA) and Kerberos Constrained Delegation (KCD). If the servers are in different domains, you'll need to use resource-based delegation for SSO (see KCD for single sign-on with Application Proxy).
Enable auto-updates for connectors
Enable auto-updates for your connectors for the latest features and bug fixes. Microsoft provides direct support for the latest connector version and one version before. (See Application Proxy release version history.)