SC 300T00A ENU PowerPoint 04

SC-300T00A: Microsoft
Identity and Access

Administrator
© Copyright Microsoft Corporation. All rights reserved.

Implement access
management for apps

Outline
• What is an app?
• Plan and design the integration of enterprise apps for single sign-on (SSO)
• Implement, and monitor the integration of enterprise apps
• Implement app registrations

Learning objectives
After completing this module, you will be able to:
1 Configure and implement identity solutions for applications in Azure.
2 Compare and contrast managed identities and service principals.
3 Register and manage both apps and enterprise apps.

Explore a cloud app
© Copyright Microsoft Corporation. All rights reserved. August 2023

Table of contents
After completing this section, you will be able to:
1 Explain the benefits of registering apps in Microsoft Entra ID.
2 Compare and contrast single and multitenant apps.
3 Describe what happens and the primary settings when an app is registered.
4 Describe the relationship between application objects and service principals.

Benefits of registering an app
Restrict which users and how they log into an application.
Configure the scope permissions and API permissions available to the app.
Configure and store secrets within the Microsoft identity platform.
Enable custom branding of the application login.

What is an app?
Code running
In a virtual machine
Function, App Service,
or Logic App

What if an app needs access to Azure resources?
Code running
In a virtual machine
Function, App Service,

or Logic App

What if people from other tenants need access to your
app?
Customer 1
Tenant Service
Principal
Service
Customer 1 Principal
Tenant
• Service principals are used:

• Each tenant registers the app (creates a service principal)
• Requires a key or certificate for authentication

Register an App in Microsoft Entra ID
App Owner tenant Global
Customer tenants • Unique application ID
• Redirect URI
App
Enterprise • Branding
Registration • API permissions
App • Role definitions
Enterprise Tenant-specific service

Enterprise
App principal
App • Reference to application
• + unique object ID
• User / group assignments
• Role assignments
• Visibility in portals

Single tenant versus multitenant apps
Audience Single or Multi-tenant Who can sign in
Accounts in this directory All user and guest accounts in your
Single tenant
only directory.
All users and guests with a work or school
Accounts in any Azure AD
Multi-tenant account from Microsoft can use your
directory
application or API.
Accounts in any Azure AD All users with a work or school, or personal
directory and personal Microsoft account can use your application
Multitenant and Microsoft
Microsoft accounts (such or API. Includes schools, businesses using
Accounts
as Skype, Xbox, Microsoft 365, and services like Xbox and
Outlook.com) Skype.

Create an app registration
Values needed for app registration
• App name
• What the user sees
• Account types that can log into the app
• Single or multitenant
• URI
• Where application is running after
authentication

Application object versus service Principal
Application Object Service Principal

• How the service can issue tokens to access • A reference back to an application object
the application through the application ID property
• The resources that the application might • Records of local user and group application
need to access role assignments
• The actions that the application can take • Records of local user and admin permissions
• Contains the application ID granted to the application
• Records of local policies including
Conditional Access policy
• Records of alternate local settings for an
application

Plan and design the
integration of enterprise
apps for SSO

Objectives
1 Discover apps by using MDCA or ADFS app report
2 Configure app connectors in MDCA
3 Design and implement access management for apps
4 Design and implement app management roles
5 Configure preintegrated (gallery) SaaS apps
6 Implement and manage policies for OAuth apps (in MDCA)

Discover apps by using
MDCA or ADFS app report

What is CASB and Microsoft Defender for Cloud Apps
(MDCA)?
CASB―Cloud Access Security Broker MDCA―Microsoft Defender for Cloud
Apps (formerly Cloud App Security)
A security tool placed between a cloud service (like Microsoft implementation of a CASB service to
an app) and the user to interject enterprise security protect data, services, and applications with
policies before the cloud-based resource is enterprise policies. It provides supplemental
accessed. reporting and analytics services.

Microsoft Defender for Cloud Apps capabilities
• Shadow IT discovery―find and manage cloud apps
• Information protection―protect information as it travels
• Threat protection―look for unusual behavior
• Compliance assessment―assess against regulatory requirements

Microsoft Defender for Cloud Apps
Cloud Access Security Broker (CASB)
Several different deployment modes: Providing admins with:

• Log collection • Rich visibility
• API connectors • Data control
• Reverse proxy • Sophisticated analytics
• Identification of cyberthreats

Microsoft Defender for Cloud Apps―process flow
Microsoft
Defender
for Cloud
Apps

Microsoft Defender for Cloud Apps architecture
• Cloud Discovery
Find apps
• Sanctioning
Allow/deny apps
• Connectors
Extend protection into
the app
with APIs
• Conditional Access –
Set access requirements
• Policy control – Define
user behavior with apps
Set up Cloud Discovery with Microsoft Defender for Cloud
Apps

MDCA―discovering apps with Cloud Discovery

Active Directory Federation Services
AD FS extends single sign-on (SSO) To increase application security, your goal

functionality between trusted business is to have a single set of access controls
partners without requiring users to sign in and policies across your on-premises and
separately to each application. cloud environments.

Discover apps that can be migrated
There are two types of

applications to migrate
• SaaS applications―procured
by the organization
• Line-of-business
applications―developed by
the organization

Configure connectors to
apps in MDCA

What is an app connector in Defender for Cloud Apps?
Capability Apps with MDCA connectors

Connect to API provided by the app creator Connectors:
• Atlassian
Enables greater visibility into the apps
• Azure
All communication over secure HTTPS • AWS
Common connector API limitations: • Box

• Throttling
• DocuSign
• API limits
• Dropbox
• Dynamic time-shifting
• GitHub
• API windows
• Google Workspace
Services vary by app • Many others

How app connectors work in MDCA
Defender for Cloud Apps is deployed with system admin privileges to allow full access
to all objects in your environment.
The app connector flow is as follows:
• Defender for Cloud Apps scans and saves authentication permissions.
• Defender for Cloud Apps requests the user list. The first time the request is done, it may take some time
until the scan completes. After the user scan is over, Defender for Cloud Apps moves on to activities and
files. As soon as the scan starts, some activities will be available in Defender for Cloud Apps.
• After completion of the user request, Defender for Cloud Apps periodically scans users, groups, activities,
and files. All activities will be available after the first full scan.

Common services offered by app connector
Connections may take some time depending on the size of the tenant, the number of
users, and the size and number of files that need to be scanned. Depending on the
app to which you’re connecting, API connection enables the following items:
• Account information―visibility into users, accounts, profile information, status (suspended, active,
disabled) groups, and privileges.
• Audit trail―visibility into user activities, admin activities, sign-in activities.
• Account governance―ability to suspend users, revoke passwords, and so on.
• App permissions―visibility into issued tokens and their permissions.
• App permission governance―ability to remove tokens.
• Data scan―scanning of unstructured data using two processes―periodically (every 12 hours) and in
real-time scan (triggered each time a change is detected).
• Data governance―ability to quarantine files, including files in trash, and overwrite files.

Implement and manage
policies for OAuth apps

Create a new OAuth app policy
1. Launch Microsoft
Defender for Cloud
Apps at https://
security.microsoft.com.
2. Under Cloud Apps,
select OAuth apps.
3. Filter the apps according
to your needs.
• For example, you can view
all apps that request
Permission to Modify
calendars in your mailbox.
4. Select the New policy from
search button.

Design and implement
access management
for apps

Microsoft Entra ID―enterprise applications
Microsoft Entra ID → enterprise applications

Gallery of thousands of preintegrated applications
• Many of the applications your organization uses are already in the gallery
• Add your own business apps
After an application is added to your Microsoft Entra tenant, you can:

• Configure properties for the app
• Manage user access to the app with a Conditional Access policy
• Configure single sign-on

Exercise: Implement access management for apps
Add an app to
your Microsoft
Entra tenant:
Add an Enterprise
app and assign
your administrator
account
Launch this Exercise

in GitHub
© Copyright Microsoft Corporation. All rights reserved. © Copyright Microsoft Corporation. All rights reserved.
Design and implement app
management roles

Delegate application register and management
By restricting who can register applications and manage them
By assigning one or more owners to an application
By assigning a built-in administrative role that grants access to manage

configuration in Microsoft Entra ID for all applications
By creating a custom role defining specific permissions, and assigning it

Built in admin application roles
Application administrator Cloud application administrator
Includes the ability to manage all aspects of Includes the ability to manage most aspects of
enterprise applications; including registrations enterprise applications, but excludes the ability
and application proxy settings. to manage application proxy settings.

Exercise: Create a new custom role to grant access to
manage app registrations
A custom role can be

assigned at
organization-wide
scope or at the scope
of a single Microsoft
Entra ID object.
Create a new custom
role that can be used
to grant access to
manage app
registrations.

in GitHub
Configure preintegrated
(gallery) SaaS apps

Enterprise application properties
• Give the application a

name
• Pick the URL that opens
for users
• Name/Homepage URL
• ApplicationID/ObjectID
• Terms of Service/Privacy
Statement

Configure app properties
Enabled for users User assignment required? Visible to users?

to sign in?
Enabled for User assignment Behavior for users who have either been assigned to
Visible to users?
users to sign in? required? the app or not.
• Assigned users can see the app and sign in.
Yes Yes Yes • Unassigned users cannot see the app and cannot sign in.
• Assigned users cannot see the app but they can sign in.
Yes Yes No • Unassigned users cannot see the app and cannot sign in.
• Assigned users can see the app and sign in.
Yes No Yes • Unassigned users cannot see the app but can sign in.

Custom logo

Add notes
Add any information

that is relevant for the
management of the
application

Summary
In this section, you learned how to:
• Discover apps by using MDCA or ADFS app report.
• Design and implement access management for apps.
• Design and implement app management roles.
• Configure preintegrated (gallery) SaaS apps.
Implement and monitor the
integration of enterprise
apps for SSO

Learning objectives
1 Implement token customizations
2 Implement and configure consent settings
3 Integrate on-premises apps by using Microsoft Entra application proxy
4 Integrate custom SaaS apps for SSO
5 Implement application user provisioning
6 Monitor and audit access/sign-on to Microsoft Entra ID integrated enterprise applications
7 Create and manage application collections (in My Apps)

Implement token
customizations

Token configuration – claims – SAML-based SSO

Customize Tokens for Microsoft Entra ID
Access and ID Lifetime length

token lifetimes (days)
(minutes) After this time
The lifetime of the period elapses, the
OAuth 2.0 bearer user is forced to
token and ID tokens reauthenticate

Implement and configure
consent settings

Why is consent important?
A user or admin must grant permissions to an app before it

can access company data.
Users can allow apps access to specific information, like a

mailbox, but not access to organization servers.
Users may not think through ramifications of granting

access; they just want to use an app to do a task

What are Consent Settings?
• Before an application can access the organization’s data, a user must grant the application permissions to
do so
• All users can consent to applications for permissions that do not require administrator consent
• By allowing users to grant apps access to data, users can acquire useful applications and be productive

User consent settings
Disable user Users can consent Users can consent Custom app
consent to apps from to all apps consent policy
Users cannot grant verified publishers Users can consent to Users can consent to
permissions to Users can only consent any permission. custom app
applications. Requires to apps that were consent policies.
an admin to grant. published by a
verified publisher.

Integrate on-premises apps
by using Microsoft Entra
application proxy

What is Application Proxy?
A feature to allow users to access on-premises application.
Proxy service runs in the cloud and has an App Proxy

connector running on-premises.
Securely passes sign-on tokens from Microsoft Entra ID to

the application.

Value of Application Proxy
Protocol translation to/from modern authentication

Example: Convert Kerberos token to a modern auth token
Use seamless single sign-on to remove user action to log in

multiple times
Allows apps to stay on-premises (for whatever reason), but

still be securely available to the user

Application Proxy
Application Proxy is a feature of Microsoft Entra ID that enables users to access on-
premises web applications from a remote client.

Exercise: Add an on-premises application for remote access
through Application Proxy in Microsoft Entra ID
Interactive guide
Enable integrated
windows
authentication to on-
premises applications
with Microsoft Entra
application proxy.
Visit this
interactive guide
in Microsoft Learn
Integrate custom SaaS apps
for SSO

SSO for SaaS apps
• You can use Microsoft Entra ID as

your identity system for just about
any app. Many apps are already
preconfigured and can be set up
with minimal effort. These pre-
configured apps are published in
the Microsoft Entra App Gallery.
• You can manually configure most
apps for single sign-on if they
aren’t already in the gallery.
Microsoft Entra ID provides
several SSO options: SAML-based
SSO and OIDC-based SSO.
SaaS App Integration Tutorials

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/tutorial-list
Exercise: Troubleshoot SAML single sign-on for custom
SaaS apps
Interactive guide
Integrate an
application in
Microsoft Entra ID
providing the single
sign-on experience
Visit this
interactive guide
Implement application user
provisioning

Application user provisioning

Manual vs. automatic provisioning
Manual provisioning Automatic provisioning

As yet, there is no automatic Microsoft Entra provisioning A Microsoft Entra provisioning connector has been
connector for the app yet. User accounts must be developed for this application.
created manually.

SCIM provisioning overview

Monitor and audit
access/sign-on to Microsoft
Entra integrated enterprise
applications

Usage and insight reports
• What are the most used applications in

the organization?
• What applications have the most failed
sign-ins?
• What are the top sign-in errors for
each application?

Audit Logs (in Microsoft Entra ID)
Record of system activities for compliance

• The date and time of the occurrence
• The service that logged the occurrence
• The category and name of the activity (what)
• The status of the activity (success or failure)
• The initiator/actor (who) of an activity

Enterprise applications audit logs
Application-based audit reports
• What applications have been added or

updated?
• What applications have been removed?
• Has a service principal for an
application changed?
• Have the names of applications been
changed?
• Who gave consent to an application?

Create and manage
application collections

Create app collections
Create a collection using the
Create an admin application collection
My Apps portal
1. Go to Microsoft Entra ID then select Enterprise Applications. 1. Open the My Apps portal.
2. Under Manage, select App Launchers. 2. Select the ellipsis (...) on the apps
screen.
3. Select New collection.
3. Choose Manage collections.
4. In the New collection page, enter a Name and Description.
4. Select Create collection.
5. Select the Applications tab. Select + Add application to open
the Add applications page. 5. Select the + Add apps option to add
all the apps you want in the
6. Select all the applications you want to add.
collection.
7. When you’re finished adding applications, select Add.
6. After picking your apps, select the
8. Select the Owners tab. Select + Add users and groups. Add selected apps button.
9. Select Review + Create. The properties for the new 7. Give the collection a name and
collection appear. choose Create collection.
Summary
In this section, you learned how to:
• Implement token customizations
• Implement and configure consent settings
• Integrate on-premises apps by using Microsoft Entra Application

Proxy
• Integrate custom SaaS apps for SSO
• Implement application user provisioning
• Monitor and audit access/Sign-On to Microsoft Entra ID integrated

enterprise applications
Implement app registrations

Learning objectives
1 Plan your line-of-business application registration strategy
2 Implement application registrations
3 Configure application permissions
4 Implement application authorization
5 Manage and monitor applications with app governance

Plan your line-of-business
application registration
strategy

Why do applications integrate with Microsoft Entra ID?
Add applications to Microsoft Entra ID to leverage one or more of the services it
provides, including:
• Application authentication and authorization • OAuth authorization services
• User authentication and authorization • Application publishing and proxy
• Single sign-on (SSO) using federation or • Directory schema extension attributes
password
• Role-based access control
• User provisioning and synchronization

Application objects and service principals
Application objects: Service principals

• Define and describe the application to Microsoft • Govern an application connecting to Microsoft
Entra ID, enabling it to know how to issue tokens Entra ID
based on its settings
• Can be considered the instance of the
• Will only exist in their tenant application in your tenant

New app registration

Who has permission to add applications to my Microsoft
Entra instance?
• By default, all users in your directory have rights to register application objects they
are developing, and they have discretion over which applications they share or give
access to their organizational data through consent.
• When the first user in your directory signs into an application and grants consent, that
will create a service principal in your tenant; otherwise, the consent grant information
will be stored on the existing service principal.

Tenancy in Microsoft Entra ID
Configure your app to be single tenant or multitenant
WHO CAN SIGN IN TO YOUR APP?

Audience Single/multitenant Who can sign in
Accounts in this directory All user and guest accounts in your directory can use your
Single tenant
only application or API.
All users and guests with a work or school account from
Accounts in any Microsoft
Multi-tenant Microsoft can use your application or API. This includes
Entra directory
schools and businesses that use Microsoft 365.
All users with a work, school, or personal Microsoft account
Accounts in any Microsoft
can use your application or API. It includes schools and
Entra directory and personal
Multi-tenant businesses that use Microsoft 365, as well as personal
Microsoft accounts (such as
accounts that are used to sign into services like Xbox
Skype, Xbox, Outlook.com)
and Skype.

Implement application
registrations

Demo: Register and application
DEMO

After your app is registered:
1 Add a redirect URI
2 Configure platform settings
3 Add credentials
4 Add a certificate and a client secret
5 Register the web API
6 Add a scope

Configure application
permissions

Application permissions
Applications that integrate with Microsoft identity platform follow an authorization
model that gives users and administrators control over how data can be accessed.
Permissions for tasks like these can be controlled:
• Read a user’s calendar
• Write to a user’s calendar
• Send mail as a user

Permissions and consent: permission types
Delegated permissions Application permissions

• Used by apps that have a signed-in user present • Used by apps that run without a signed-in user
present
• Either the user or an administrator consents to
the permissions that the app requests • Only an administrator can consent to
application permissions

OpenID connect scopes
OpenID Email Profile Offline access

By using this The email claim is
It gives the app The app can receive
permission, an app included in a token
access to a large refresh tokens from
can receive a unique only if an email
amount of the Microsoft
identifier for the address is associated
information about identity platform
user in the form of with the user
the user. token endpoint.
the sub claim. account

Exercise: Grant tenant-wide admin consent to an
application
Grant admin consent

in app registrations
For applications your
organization has
developed, or for those
that are registered
directly in your Microsoft
Entra tenant, you can
grant tenant-wide admin
consent from app
registrations in the
Microsoft Entra admin
center.
in GitHub
Implement application
authorization

Application roles
Application roles are used to assign permissions to users. You define app roles by
using the Microsoft Entra admin center. When a user signs into the application,
Microsoft Entra ID emits a roles claim for each role that the user has been granted
individually and from their group membership.
There are two ways to declare app roles by using the Microsoft Entra admin center:
• App roles UI
– Found on the App Registration/App roles
• App manifest editor

Demo: Add app roles to an application
DEMO

Summary
Now that you have reviewed this section, you should be

able to:
• Plan your line-of-business application registration strategy.
• Implement application registrations.
• Configure application permissions.
• Implement application authorization.
Summary
Plan and design single sign-on Implement app registration

for apps • Design and app registration strategy
• MDCA and ADFS application location • Register your applications
• App discover • Configure app permissions
• App management roles • Assign app authorization
• Add on-premises app management
Implement and monitor

enterprise apps
• Consent settings
• Monitor enterprise applications
• Application collections
• Add on-premises app management
Labs
Lab Brief description Length

Use Defender for Cloud Apps application discovery
17. App discovery 15 minutes
and enforce a restriction.
Configure app access policies in Defender for Cloud
18. App access policies 10 minutes
Apps.
Registering your application establishes a trust
19. Register an
relationship between your app and the Microsoft 10 minutes
application
identity platform.
20. Implement access
Add an enterprise app and assign your administrator
management for 5 minutes
account.
apps.
For applications registered directly in your Microsoft
21. Grant tenant wide
Entra tenant, grant tenant-wide admin consent from 10 minutes
access to an app
app registrations in the Microsoft Entra admin center.
Learning path recap
In this learning path, you learned how to:
Configure and implement identity solutions for applications in Azure.
Compare and contrast managed identities and service principals.
Register and manage both apps and enterprise apps.

End of presentation

SC 300T00A ENU PowerPoint 04

Uploaded by

Copyright:

Available Formats

SC 300T00A ENU PowerPoint 04

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SC 300T00A ENU PowerPoint 04

Uploaded by

Copyright:

Available Formats

SC-300T00A: Microsoft

Identity and Access

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved.

1 Configure and implement identity solutions for applications in Azure.

2 Compare and contrast managed identities and service principals.

3 Register and manage both apps and enterprise apps.

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved. August 2023

1 Explain the benefits of registering apps in Microsoft Entra ID.

2 Compare and contrast single and multitenant apps.

4 Describe the relationship between application objects and service principals.

© Copyright Microsoft Corporation. All rights reserved.

Restrict which users and how they log into an application.

Configure and store secrets within the Microsoft identity platform.

Enable custom branding of the application login.

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved.

Function, App Service,

© Copyright Microsoft Corporation. All rights reserved.

• Service principals are used:

© Copyright Microsoft Corporation. All rights reserved.

Enterprise Tenant-specific service

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved.

Values needed for app registration

© Copyright Microsoft Corporation. All rights reserved.

Application Object Service Principal

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved.

2 Configure app connectors in MDCA

3 Design and implement access management for apps

4 Design and implement app management roles

5 Configure preintegrated (gallery) SaaS apps

6 Implement and manage policies for OAuth apps (in MDCA)

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved.

• Shadow IT discovery―find and manage cloud apps

• Information protection―protect information as it travels

• Threat protection―look for unusual behavior

• Compliance assessment―assess against regulatory requirements

© Copyright Microsoft Corporation. All rights reserved.

Several different deployment modes: Providing admins with:

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved.

AD FS extends single sign-on (SSO) To increase application security, your goal

© Copyright Microsoft Corporation. All rights reserved.

There are two types of

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved.

Capability Apps with MDCA connectors

Common connector API limitations: • Box

Services vary by app • Many others

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved.