Enterprise Mobility and Security Blog

RSS

Howdy folks,

We know that that enabling self-service is one of the top initiatives for many of our enterprise customers. Lots of users, lots of applications, and the person who is best-informed to make access grant decisions probably doesn’t work in the IT department. Often the best person to decide who can access an application is a team lead or other delegated administrator. But at the end of the day, it’s the user who uses the app, and they generally have a pretty good idea about what apps they need to do their job!

So today we’re happy to announce a preview of self-service application access in Azure AD. This will allow administrators to do things like:

  • Enable users to request access to applications using a “Get more applications” tile in the Azure AD access panel
  • Set which applications users can request access to
  • Create an approval policy if needed
  • Specify who should approve requests for specific applications

This capability is supported for all pre-integrated apps that support federated or password-based single sign-on in the Azure Active Directory app gallery, including apps like Salesforce, Dropbox, Google Apps, and more.

To get started:

  • Sign into the Azure management portal.
  • Under the Active Directory section, select your directory, then select the Configure tab.
  • Near the bottom of the page, set Allow users to self-assign access to enabled applications to Yes, and click Save to enable the feature.

  • Next, select the Applications tab. Select the Add button, and use the gallery option to select and add an application.

  • After your app has been added, you’ll get the app Quick Start page. Click Configure Single Sign-On, select the desired single sign-on mode, and save the configuration.

  • Next, select the Configure tab. To enable users to request access to this app from the Azure AD access panel, set Allow self-service application access to Yes.

  • To optionally configure an approval workflow for access requests, set Require approval before granting access to Yes. Then one or more approvers can be selected using the Approvers button.

An approver can be any user in the organization with an Azure AD account, and could be responsible for account provisioning, licensing, or any other business process your organization requires before granting access to an app. The approver could even be the group owner of one or more shared account groups, and can assign the users to one of these groups to give them access via a shared accounts. The options are limitless.

If no approval is required, then users will instantly get the application added to their Azure AD access panel. This appropriate if the application has been set up for automatic user provisioning, or has been set up “user-managed” password SSO mode where the user already has a user account and knows the password.

  • Click Save at the bottom of the screen to save the configuration. Now users will be able to request access to this app from the access panel.
  • To try the end user experience, sign into you organization’s Azure AD access panel at https://myapps.microsoft.com, preferably using a different account that isn’t an app approver.

  • Under the Applications tab, click the Get more applications tile. This displays a gallery of all of the applications that have been enabled for self-service application access in the directory, with the ability to search and filter by app category on the left.

  • Clicking on an app kicks off the request process. If no approval process is required, then the application will be immediately added under the Applications tab after a short confirmation. If approval is required, then you will see a dialog indicating this, and an email will be send to the approvers. (Quick note: You need to be signed into the access panel as a non-approver to see this request process).

  • The email directs the approver to sign into the Azure AD access panel, and approve the request under the Approvals tab. Once the request is approved (and any special processes you define have been performed by the approver), the user will then see the application appear under their Applications tab where they can sign into it.

We will be adding additional supported apps and enhancements in the coming weeks.

As always, we would love to hear any feedback for suggestions you have!

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity and Security Services Division