What is application management?

Azure AD is an Identity and Access Management (IAM) system. It provides a single place to store information about digital identities. You can configure your software applications to use Azure AD as the place where user information is stored.

Azure AD must be configured to integrate with an application. In other words, it needs to know what applications are using it as an identity system. The process of keeping Azure AD aware of these applications, and how it should handle them, is known as application management.

You manage applications on the Enterprise applications blade located in the Manage section of the Azure Active Directory portal.

The Enterprise applications option under the Manage section of the Azure AD portal.

What is an Identity and Access Management (IAM) system?

An application is a piece of software that is used for some purpose. Most applications require users to sign in so that the application can provide a tailored experience for that particular user. In other words, the application needs to know the identity of the user using the application. Because it knows what functionality to offer, or remove, for the user.

If each application kept track of users separately then the result would be a silo of different usernames and logins for every application. One application wouldn't know anything about the users in other applications.

A centralized identity system solves this problem by providing a single place to store user information that can then be used by all applications. These systems have come to be known as Identity and Access Management (IAM) systems. Azure Active AD is the IAM system for the Microsoft cloud.

Tip

An IAM system provides a single place to keep track of user identities. Azure AD is the IAM system for the Microsoft cloud.

Why manage applications with a cloud solution?

Organizations often have hundreds of applications that users depend on to get their work done. Users access these applications from many devices and locations. New applications are added, developed, and sunset every day. With so many applications and access points, it's more critical than ever to use a cloud-based solution to manage user access to all applications.

Tip

The Azure AD app gallery contains many popular applications that are already pre-configured to work with Azure AD as an identity provider.

How does Azure AD work with applications?

Azure AD simplifies the way you manage your applications by providing a single identity system for your cloud and on-premises apps. You can add your software as a service (SaaS) applications, on-premises applications, and line of business (LOB) apps to Azure AD. Then users sign in once to securely and seamlessly access these applications, along with Microsoft 365 and other business applications from Microsoft. You can reduce administrative costs by automating user provisioning. You can also use multi-factor authentication and Conditional Access policies to provide secure application access.

Diagram that shows apps federated via Azure AD

What types of applications can I integrate with Azure AD?

There are four main types of applications that you can add to your Enterprise applications and manage with Azure AD:

  • Azure AD Gallery applications – Azure AD has a gallery that contains thousands of applications that have been pre-integrated for single sign-on with Azure AD. Some of the applications your organization uses are probably in the gallery. Learn about planning your app integration, or get detailed integration steps for individual apps in the SaaS application tutorials.

  • On-premises applications with Application Proxy – With Azure AD Application Proxy, you can integrate your on-premises web apps with Azure AD to support single sign-on. Then end users can access your on-premises web apps in the same way they access Microsoft 365 and other SaaS apps, see Provide remote access to on-premises applications through Azure AD's Application Proxy.

  • Custom-developed applications – When building your own line-of-business applications, you can integrate them with Azure AD to support single sign-on. By registering your application with Azure AD, you have control over the authentication policy for the application. For more information, see guidance for developers.

  • Non-Gallery applications – Bring your own applications! Support single sign-on for other apps by adding them to Azure AD. There are multiple ways to integrate an application, some of these are listed below. For more information, see Configure SAML single sign-on.

Tip

You can integrate Azure AD with an application even if it is not already pre-configured and in the app gallery. You can integrate Azure AD with any of the following

  • Any web link, or application, that renders a username and password field.
  • Any application that supports SAML or OpenID Connect protocols.
  • Any application that supports the System for Cross-domain Identity Management (SCIM) standard.

Manage risk with Conditional Access policies

Coupling Azure AD single sign-on (SSO) with Conditional Access provides high levels of security for accessing applications. Security capabilities include cloud-scale identity protection, risk-based access control, native multi-factor authentication, and Conditional Access policies. These capabilities allow for granular control policies based on applications, or on groups that need higher levels of security.

Improve productivity with single sign-on

Enabling single sign-on (SSO) across applications and Microsoft 365 provides a superior sign-in experience for existing users by reducing or eliminating sign-in prompts. The user’s environment feels more cohesive and is less distracting without multiple prompts, or the need to manage multiple passwords. The business group can manage and approve access through self-service and dynamic membership. Allowing the right people in the business to manage access to an application improves the security of the identity system.

SSO improves security. Without single sign-on, administrators need to create and update user accounts for each individual application, which takes time. Also, users have to track multiple credentials to access their applications. As a result, users tend to write down their passwords or use other password management solutions, which introduce data security risks. Read more about single sign-on.

Address governance and compliance

With Azure AD, you can monitor application sign-ins through reports that leverage Security Incident and Event Monitoring (SIEM) tools. You can access the reports from the portal, or from APIs. Programmatically audit who has access to your applications, and remove access to inactive users via access reviews.

Manage costs

By migrating to Azure AD, you can save costs and remove the hassle of managing your on-premises infrastructure. Azure AD also provides self-service access to applications, which saves time for both administrators and users. Single sign-on eliminates application-specific passwords. This ability to sign on once saves costs related to password reset for applications, and lost productivity while retrieving passwords.

For Human Resources focused applications, or other applications with a large set of users, you can leverage App provisioning to automate the process of provisioning and deprovisioning users, see What is application provisioning?.

Next steps