News

App Reporting and Admin Tools for Azure AD Hit Preview

• By Kurt Mackie
• 01/27/2020

For organizations wanting to connect their applications to Azure Active Directory, Microsoft is rolling out a few new features in preview.

According to an announcement last week, one preview aims to help IT pros find apps in their computing environments that are using Active Directory Federation Services (ADFS) but can switch to using Azure AD instead. A second preview sets up a workflow for end users to request access to applications when denied access. Lastly, Microsoft announced improvements to applications that are pre-integrated with the Azure AD service.

ADFS Activity Report Preview
One of the improvements is an ADFS "activity report" preview, which is accessible in the Azure Portal under the "Usage & Insights" resource, according to this Microsoft Azure document. IT pros can use the activity report to find applications that are currently using ADFS (a Windows Server role) but that are capable of switching over to using the Azure AD cloud-based service.

The ADFS activity report preview "assesses all AD FS applications for compatibility with Azure AD, checks for any issues, and gives guidance on preparing individual applications for migration," the document explained.

It's possible to run migration tests on these applications and fix issues. Reports data can be seen by IT pros with roles such as "global administrator, report reader, security reader, application administrator, or cloud application administrator," the document explained.

Admin Consent Preview
Another improvement is an "admin consent workflow" preview, which sets up a permission-request process when end users attempt to use unauthorized applications, according to this document. Currently, if an application requires access to organizational data, end users attempting to sign into it may get "a generic error message" that directs them to their IT administrator, but the message doesn't specify the person to contact, the document explained.

With the admin consent workflow preview turned on, end users will get a workflow that lets them send e-mails to the account administrator or a designated reviewer, requesting approval to use the application. "To approve requests, a reviewer must be a global administrator, cloud application administrator, or application administrator," according to the document. Users have to offer a reason why they want to use the app, which gets sent in the e-mail.

IT pros can turn on the admin consent workflow preview, if wanted, via the Azure Portal if they are a global administrator. However, granting consent to one end user appears to grant consent to all end users.

Here's how Microsoft's document expressed it:

If you're concerned about granting admin consent and allowing all users in the tenant to use the application, we recommend that you deny the request. Then manually grant admin consent by restricting access to the application by requiring user assignment, and assigning users or groups to the application. For more information, see Methods for assigning users and groups.

Azure AD App Gallery Highlights
Microsoft announced some highlights for applications integrated via the Azure AD App Gallery.

Azure AD now supports "federated single sign-on" for the following Azure AD App Gallery applications: Blue Access (Blue Cross/Blue Shield health insurance), Freshworks (CRM and IT service management), Hootsuite (social media management), Netskope Cloud Security and Terraform Enterprise.

In addition, the following Azure AD App Gallery apps now have support for automated user provisioning: Harness (a DevOps platform), Infor CloudSuite (ERP), iProva (AI), RingCentral (unified communications) and Templafy (business document templates).

Azure AD supports integration with four app types, according to this Microsoft document. First, some apps are pre-integrated for single sign-on access and get housed in the Azure AD Gallery. Second, there are non-Gallery apps, which can be integrated with Azure AD if the app "renders a username and password field, supports SAML or OpenID Connect protocols, or supports SCIM [System for Cross-Domain Identity Management]." Other Azure AD-supported apps include "on-premises Web apps" that tap into the Azure AD Application Proxy service, plus "custom line-of-business applications."