Choosing the application type when adding an application in Azure Active Directory

Learn about the four types of applications you can add to Azure Active Directory (Azure AD). When you are adding an application in Azure Active Directory, you'll be prompted to choose one of the four application type.

What are the types of applications?

Azure AD supports four main application types that you can add using the Add feature found under Enterprise Applications. These include:

  • Azure AD Gallery Applications – An application that has been pre-integrated for single sign-on with Azure AD.

  • Application Proxy Applications – An application running in your on-premises environment that you want to provide secure single-sign on to externally.

  • Custom-developed Applications – An application that your organization wishes to develop on the Azure AD Application Development Platform, but that may not exist yet.

  • Non-Gallery Applications – Bring your own applications! Any web link you want, or any application that renders a username and password field, supports SAML or OpenID Connect protocols, or supports SCIM that you wish to integrate for single sign-on with Azure AD.

Features and capabilities supported by the application types

The following features are supported by any of the preceding four application types in Azure AD:

Single sign-on and provisioning modes supported by specific application types

The following table describes the different single sign-on and provisioning modes supported by each of the preceding application types. You can use this table to help you to understand which application you need to add to support a specific goal.

App types table

How to choose a single sign-on mode

Following are the supported single sign-on modes for Azure AD applications.

  • Azure AD single sign-on disabled – choose Azure AD single sign-on disabled single sign-on mode if you are not yet ready to integrate this application with single sign-on with Azure AD, or are simply testing it out

  • Linked Sign-on – choose the Linked Sign-on single sign-on mode if you have an application that is already connected with an existing single sign-on solution, or if you just want to publish a simple link for your users in their Application Access Panel or Office 365 application launcher

  • Password-based Sign-on – choose the Password-based Sign-on single sign-on mode if your application renders an HTML username and password field and you want to store that username and password securely to be replayed to the application later

  • SAML-based Sign-on – choose the SAML-based Sign-on single-sign on mode if your application supports the SAML or OpenID Connect protocols, or you want to be able to map users to specific application roles based on rules you define in your SAML claims *

    Note

    This option is not available when the application proxy is configured for an application.

  • Header-based Sign-on – choose this Header-based Sign-on single sign-on mode if you have an application using PingAccess that supports HTTP-header-based authentication that you wish to perform single-sign on to

    Note

    This option is only available when the application proxy and PingAccess is configured for an application.

  • Integrated Windows Authentication – choose the Integrated Windows Authentication single-sign on mode when exposing an on-premises WIA application that you wish to perform single-sign on to

    Note

    This option is only available when the application proxy is configured for an application.

Single sign-on modes for custom-developed applications

Applications you have custom developed through the Custom-developed application experience also support additional single sign-on modes not previously listed, which include:

Read the Azure Active Directory developer’s guide to learn more about how to create a custom-developed application that supports these single sign-on modes.

How to set an application’s single sign-on mode

To set an application’s single sign-on mode, follow these instructions:

  1. Open the Azure portal and sign in as a Global Administrator or Co-admin.

  2. Open the Azure Active Directory Extension by clicking All services at the top of the main left-hand navigation menu.

  3. Type in “Azure Active Directory” in the filter search box and select the Azure Active Directory item.

  4. click Enterprise Applications from the Azure Active Directory left-hand navigation menu.

  5. click All Applications to view a list of all your applications.

    • If you do not see the application you want show up here, use the Filter control at the top of the All Applications List and set the Show option to All Applications.
  6. Select the application for which you want to configure single sign-on.

  7. Once the application loads, click Single sign-on from the application’s left-hand navigation menu.

How to choose a provisioning mode

  • Manual Provisioning – choose the Manual provisioning mode if you have existing accounts, or wish to manage accounts for this application outside of Azure AD.

  • Automatic Provisioning – choose the Automatic provisioning mode if you want to enable automatic API-based provisioning and/or de-provisioning of user accounts to this application

    Note

    This option is available only for applications within the featured category of the Azure AD Application Gallery.

  • SCIM-based Automatic Provisioning – use SCIM-based Automatic Provisioning if your application supports the SCIM protocol for detecting changes to users and groups, which are automatically emitted for changes to any application integrated with Azure AD

    Note

    This option is not listed as a specific provisioning mode, but is enabled by default for all applications that are integrated with Azure AD.

How to set an application’s provisioning mode

To set an application’s provisioning mode, follow these instructions:

To set an application’s single sign-on mode, follow these instructions:

  1. Open the Azure portal and sign in as a Global Administrator or Co-admin.

  2. Open the Azure Active Directory Extension by clicking All services at the top of the main left-hand navigation menu.

  3. Type in “Azure Active Directory” in the filter search box and select the Azure Active Directory item.

  4. click Enterprise Applications from the Azure Active Directory left-hand navigation menu.

  5. click All Applications to view a list of all your applications.

    • If you do not see the application you want show up here, use the Filter control at the top of the All Applications List and set the Show option to All Applications.
  6. Select the application for which you want to configure provisioning.

  7. Once the application loads, click Provisioning from the application’s left-hand navigation menu.

Next steps

Managing Applications with Azure Active Directory