Organizations use Microsoft Azure to reduce overall capital and operational expenditure. Azure not only saves costs...
but also enables authentication and authorization for applications designed in the cloud. Azure Active Directory is a subset of on-premises Microsoft Active Directory. Azure AD supports creating user accounts and security groups. Similar to Microsoft on-premises AD, Azure AD also supports authentication and authorization. For example, if you design a cloud application that has a login interface and requires users to log on to the application before the application can be used, you can always integrate your application with Azure AD. When users log on to the application, Azure AD will authenticate the user and then allow access to application resources. Azure AD authentication provides a number of access control options that can apply to each Azure-registered application.
Register applications with Azure AD
Integrating applications with Azure AD is sometimes referred to as registering applications. There are two ways to register applications with Azure AD: using Azure express settings or manually registering the application. Once the application is registered with Azure, Azure AD authentication and authorization services are provided.
Register applications using express settings
To configure an application using Azure express settings, you'll configure authentication and authorization settings in the application, which enables the Azure authentication provider. The steps for registering applications with Azure using express settings are listed below:
- In the Azure portal, navigate to the application for which you want to configure authentication, click application settings, click on Authentication/Authorization and turn on App Service Authentication as shown in Figure A below:
- On the same settings page, make sure the Authentication Providers setting shows Azure Active Directory as it appears above.
- Click Azure Active Directory to show Management mode. In Management mode, click on the Express button to show the express settings as shown in Figure B:
- On the express settings page, you can select an existing application by clicking on Select Existing AD App, or you can create a new application by clicking Create New AD App as shown in Figure B.
- Next, click OK to register the application in Azure. When you click OK, Azure creates an application ID for the registered application.
Register applications manually
If you want to manually register an application with Azure AD authentication, you need to create the application registration first and then configure the application registration details in Azure. To register the application manually, follow the steps outlined below:
- Navigate to the application from the Azure portal, and then copy the application URL.
- Next, click on Active Directory, click on App Registrations and then click New.
- There are a few details you need to enter, including application name and application type. Then, enter the application URL that you copied in step one in the Sign-On URL.
- Next, click Create to allow Azure to create the application registration.
- From the settings page of the application, click on Properties, paste the application URL in the App ID URL and Home Page URL boxes and then click Save.
- Next, from the same page, copy the application ID to be used in the Authentication/Authorization registration page.
Once you've created the application registration, navigate to the application you just created in the Azure portal, click Authentication/Authorization and then follow the steps you used to enter the registration details about the application when configuring the application using express settings.
Once you've completed the steps above, you're ready to use Azure AD authentication.
Control application access in Azure
You can control application access by selecting an action on the Authentication/Authorization settings page. For example, if you need to allow application access to users who successfully log on to Azure AD, you can select the Log in with Azure Active Directory option as shown in Figure C below:
There are other control options, such as Log in with Facebook, Log in with Google, Log in with Microsoft Account and Log in with Twitter. For business applications, I recommend using the Log in with the Azure Active Directory option, which ensures only authorized users either created in the cloud or synced from on premises have access to application resources.
Decide which user storage to use
Since applications will be accessed by users, you'll be required to populate users in Azure. You can either create cloud users in Azure or sync users from on-premises AD. In a federated identity platform, organizations deploy AD synchronization service -- referred to as Azure AD Connect – on premises and synchronize users along with their passwords from AD running on premises to Azure AD. By using the federated identity platform in your environment, you're enabling single sign-on and eliminating the need for creating separate cloud users. In other words, once users from AD on premises are synchronized, users can use one identity to access both on-premises and cloud resources and also enable use of synchronized IDs with Azure registered applications.
Troubleshoot Azure AD synchronization issues