Azure Identity And Access Management Part 32 – Azure Active Directory – Application Management 1 – Overview
Hope you all are doing good !!!
In our previous articles we have discussed in details about Azure Active Directory Domain Service ( Azure AD DS). Today in this article, we will start with a new Azure Active Directory feature Application Management.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Manage Applications With Traditional Solution :
Organizations using many applications to manage and complete their assignments or day-today business critical activities. With traditional method, organizations are facing following difficulties.
- Every application in an organization manages the user’s identity and access privileges separately.
- User maintaining username and password for different applications separately.
- User needs to keep track of all user name and password like, password expiration, password complexity, password changes etc.
- Difficult for admin to maintaining N numbers of applications for thousands of identities using traditional method.
- No Central location to update or manage Identity information for different application.
To address the above difficulties, organisations adopting cloud solutions provided by different directive service provider like, Microsoft, AWS, Google, Oracle etc. Identity And Access Management (IAM) solves all problems in the traditional approach and provides more features to increase security.
Identity And Access Management (IAM) System Of Azure AD:
Azure AD simplifies the way we are managing our applications by providing a single identity system for our cloud and on-premises applications. Every application asked each user to sign-in by providing their identity information and those information will be verified by the identity system. As we know, an Identity and Access Management (IAM) system provides a single place to keep track of user identities.
Azure AD is the IAM system for the Microsoft cloud which provide following advantages over traditional method.
Centralized Access Management System -The concept is handling user authentication and account management at a central system.
Quick User Provisioning -Creating and managing user accounts/identity information within the system quickly and easily.
Support Single Sign-On (SSO) -It allow to authenticating users once and allowing access to all other associated applications.
Multi-Factor Authentication (MFA) -It allow to authenticating users by challenging with multiple authentication factors.
Adaptive Authentication Methods -Authenticating users by challenging with multiple authentication steps based on the users’ risk profile
Identity Federation -Authenticating users existing in an external identity provider
Application Management In Azure :
We can manage our cloud and on-premises applications using Application Proxy, Single Sign-On, the My Apps portal (also known as the Access panel), and Software as a Service (SaaS) apps features of Azure.
Integrate Applications With Azure AD :
We can integrate different types of application with Azure AD. Following are the types of applications that we can add to our Enterprise applications of Azure AD.
Azure AD Gallery applications -Applications that have been pre-integrated for single sign-on with Azure AD.
Non-Gallery applications– We can integrate Azure AD with any of the following categories.
- Any web link, or application, that renders a username and password field.
- Any application that supports SAML or OpenID Connect protocols.
- Any application that supports the System for Cross-domain Identity Management (SCIM) standard.
On-premises applications with Application Proxy– Applications of on-premises can integrate with Azure AD to support single sign-on using Azure AD Application Proxy.
Custom-developed applications– Our custom line-of-business applications, can integrate with Azure AD to support single sign-on.
A centralized identity system helps by providing a single place to store user information that can then be used by all integrated applications. Azure AD will also get to know for which application, it is being used as an identity system. User need to sign in once then seamlessly access all those integrated these applications, along with Office 365 and other business applications from Microsoft.
Centralize Application Management With Azure AD :
- Increase Productivity with Single Sign -On (SSO).
- Secure access to your apps with automatic provisioning/deprovisioning
- Sign into all your application from one portal
- Manage risk with conditional access
- Audit sign-ins
- Govern access
- Manage from the cloud.No more on-premise server
- Remote Access to on-premises applications
Improve Productivity Of Applications :
Organizations noticed a huge productivity gain by adopting the cloud solution to manage hundreds of different applications. Followings are the major area of improvement.
- Help to reduce involvement of IT professional so less responding time from IT professional because less dependency on them.
- Enabling single sign-on (Federated SSO, Password SSO, Linked SSO) across applications.
- Office 365 provides a superior sign-in experience by reducing sign-in prompts.
- Reduce efforts to manage multiple passwords.
- Reduce management effort by providing self-service and dynamic membership.
- Improves the security of the identity system by allowing the right people in the business to manage access.
Manage Risk For Applications :
This cloud solution provides a robust security mechanism. Following capabilities allow for granular control policies based on applications.
- Single Sign-On (Federated SSO, Password SSO, Linked SSO)
- Cloud-Scale Identity Protection
- Risk-Based Access Control
- Native Multi-Factor Authentication
- Conditional Access Policies
Application Management Best Practices :
There are recommendations and best practices for managing applications in Azure Active Directory (Azure AD). Following are the points needs to take care before we proceed to integrate applications. All recommendations has categorized in three different section as described below.
- Cloud app and single sign-on recommendations :
- Check the Azure AD application gallery for apps before developing custom application.
- If application support then, use Federated, SAML-based SSO with Azure AD over password-based SSO and ADFS.
- Use SHA-256 signing algorithms for certificate signing instead SHA-1 if possible.
- Deploy the My Apps access panel to support users as it is a single point of entry for their assigned cloud-based applications.
- User assignment is required to see applications on user’s Access Panel.
- Use group assignment for better user management of the application.
- Establish a process for managing certificates.
- Provisioning recommendations :
- Use tutorials to set up provisioning with cloud apps.
- Use provisioning logs (preview) to monitor status.
- Assign a distribution group to the provisioning notification email.
- Application Proxy recommendations :
- Use Application Proxy for remote access to internal resources
- Use custom domains.
- Synchronize users before deploying Application Proxy.
- Use multiple application Proxy connectors for greater resiliency, availability, and scale.
- Locate connector servers close to application servers, and make sure they’re in the same domain.
- Enable auto-updates for connectors.
- Bypass your on-premises proxy.
- Use Azure AD Application Proxy over Web Application Proxy.
Azure AD Supports To Integrated Application :
Azure AD provides following access management supports to configured/integrated applications.
- Easily achieve the right access policies.
- Attribute-based assignment (ABAC or RBAC scenarios)
- Support and allow to make complex policies.
- Combining multiple management models for a single application.
- Reuse management rules across applications with the same audiences.
- Allow administrators to easily reports on assignment state, assignment errors, and usage.
Application Deployment Methods :
Azure AD provides following different ways to deploy applications to end users in our organization:
- Azure AD access panel
- Office 365 application launcher
- Direct sign-on to federated apps
- Deep links to federated, password-based, or existing apps
Azure AD Save Costs :
Organization can reduce/save cost by adopting Azure AD in the following ways
- Reduce administrative costs to maintain and keep track of different identity information for different applications.
- Reduce administrative costs by automating user provisioning and deprovisioning .
- There is a robust technical support from Microsoft to address issues.
- Save cost by improving productivity.
We can find different references provided by Microsoft in the following figure.
With the above information, we are concluding the first article of Application Management series. I hope this is informative to you.
As I am exploring the Azure Identity and Access Management (IAM) in a detail level specially with Azure Active Directory . Please let me know if I missed anything important or if my understanding is not up to the mark.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
Thanks for reading 🙂