• Home
  • Blog
  • Technical
  • How (and why) to leverage Microsoft 365 Business to manage third-party applications

How (and why) to leverage Microsoft 365 Business to manage third-party applications

Back to Blog
01Feb2019

How (and why) to leverage Microsoft 365 Business to manage third-party applications

One capability of Azure Active Directory which is included in your Microsoft 365 Business subscription (but which hardly anyone is taking advantage of in the SMB space) is the ability to bring third-party SaaS applications under management, and assign them to end-users–publishing them centrally via an application portal (myapps.microsoft.com), and even (in some cases) enabling them for Single Sign-On.

From Azure Active Directory, find Enterprise Applications > All applications. Click New application. There a few thousand applications now available in the app gallery. You can search or browse by many different categories. If an application is not found here in the portal, then you can add custom (non-gallery) applications only with an Azure AD Premium P1 or P2 subscription.

By way of example only, I will search for and add an application from the Azure gallery—in this case Evernote.


Next, I can assign the application to individual users, or to a security group which I have created for this purpose. Go to Users and groups to make your assignments. I use a Security group to manage this access, named Apps-EvernoteAccess.

As soon as you have configured your apps and made your assignments, users will be able to see the application tile show up within their individual Azure AD access panel located at: https://myapps.microsoft.com

At this point, if a user were to click on this tile, it would just link them over to Evernote’s sign-in page, where they would then need to provide their credentials to login.

Configure Single Sign-On (SSO) to third-party applications

Just going through the exercise to identify who in the organization should be assigned which software packages is valuable in itself (more on that later), but the value to the end user comes afterward. Now that you have mapped out apps to users, you can also tie their authentication (via SAML) to those apps (assuming you have subscriptions at those providers which support it).

Find the Single Sign-On blade within the application. Not all applications will support “true” single sign-on using SAML, but almost any app will allow the user to store their credentials within the Azure AD portal (similar to LastPass, if you are familiar with that concept). The various SSO methods are depicted in the following screenshot.

  • Disabled – Just like it says, essentially this will just make the application tile available in the app portal, but there is no SSO experience. The end-user would need to provide their unique logon ID and password for that app in order to login, every time they click the tile.
  • SAML – If the app supports SAML (Security Assertion Markup Language), this is what you want. SAML provides “true” SSO, where Azure AD becomes the app’s Identity Provider, and all authentication requests are logged against Azure AD—whether they come in via the app portal, or not. This is the most secure option and recommended wherever possible.
  • Password-based – Otherwise, if the app does not support SAML but still uses some form of username/password, then you can choose “password-based” SSO. This option simply stores credentials in Azure AD, and replays them into the third-party app on demand, to give the user an “SSO-like” experience (without being true single sign-on). The user can input and update their own password, or it can be managed by an administrator, and the user doesn’t have to know the password at all.
  • Linked – You would use this option if you already had an application linked via another Identity Provider. You may choose this option if you are slowly migrating from another identity service such as Okta or AD FS, for instance, and wanted to publish links via the new portal before you switched them over to SAML.

Note: if you are able to implement SAML, that will also open up other options within the Provisioning and Self-service blades, where users may be allowed to request access and provision their own accounts, for example.

I will not go into the full details of setting up a SAML-based SSO experience. But I do want to give you some guidance to get started—the security benefits are just too great to ignore—since you can reduce the number of identities you manage, and centralize the security logs. Therefore, if you take the time to fold your apps in, then you can monitor, grant and terminate access to all your apps from one place: Azure AD. Plus, you can apply things like MFA, or Conditional access to the logon requests (requires an Azure AD Premium subscription).

Every app is a little bit different in terms of its deployment, although they all have similarities. Here are some basic guidelines I can give you. Microsoft links to a configuration guide for many common gallery applications.

In almost all cases where SAML is available, you will need to provide Azure AD and the third-party application portal with some URLs, certificates and/or XML files, so that each side can understand and talk with the other. Sometimes certain entries are optional. Microsoft and/or third-party vendors will likely have support documentation available, as pictured here in the case of Evernote.

Conclusion

It is difficult to express just how important this Enterprise Application feature could be for your organization or practice. Even if you cannot configure true SSO with SAML to every one of your applications, just the fact that you can track application assignments to users alone is huge.

Most small organizations have no software inventory to speak of. Which is too bad, because it is often necessary to have an inventory for various compliance bodies out there. Not to mention every major security framework requires it.

Poor inventory means blind spots. Blind spots mean weak protections. Weak protections is one of the primary reasons why SME’s are still the most vulnerable targets out there. From the point of view of an attacker, the average security posture for small businesses out in the wild looks a lot like swiss cheese—and it has gotten worse with the addition of so many SaaS products in the last few years.

Bottom line (I’ve said it before and I’ll say it again): You cannot protect what you don’t even know you have. Once you know what you have, then you can start taking steps to better protect it—SAML, MFA, Conditional access, limiting privilege, etc., etc. But it starts with knowing.

Microsoft 365 can help you wrap your arms around this whole cloudy mess: identities, applications, devices and data. And this corporate access panel, with the option for SSO in many cases, solves a big piece of the puzzle right here. So make it a point to start bringing your applications into the fold!

Technical , , , 6 Comments
Share:

Comments (6)

  • Aaron Jacobs Reply

    Great article.
    If not using M365 and just O365, do you know what licenses are required per user / tenant to enable the app gallery?
    Azure Ad P1 for SSO obviously.
    Thanks

    February 1, 2019 at 1:41 pm
    • Alex Reply

      Yes, I would recommend the EMS E3 suite if adding onto just O365 (then you get device management too), but Azure AD Premium P1 on its own would be sufficient to get SSO, unlimited/custom apps and conditional access, even. But I generally add P1 to M365 Business too–Conditional access is just that important.

      February 1, 2019 at 3:24 pm
  • Shehan Perera Reply

    Hi,
    Thanks for the wonderful explanation.
    I’m planning to do the same for a Non-Gallery app. I need P1 only for this purpose at this point.

    My question is

    * Will the users require a P1 license to access this app via their myApps portal? Or just one P1 for my admin account will be sufficient to add the app to Azure?
    * Is this a license compliance violation if I just use 1 P1 license for this purpose?

    If this is possible, does that mean a user who doesn’t have P1 assigned can use 10 Apps apps but they require P1 if they need to open more than 10 apps at once?

    Please advise on this.
    Thanks a lot.

    February 23, 2020 at 7:36 pm
    • Alex Reply

      Every user who benefits from a feature needs to be licensed for the feature. So yes, P1 for all.

      February 24, 2020 at 10:13 am
  • Shehan Reply

    Sorry I forgot to mention, the users who will be using this SSO app are licensed for Office 365 (E3, Business Prem. and etc) but not for Azure Premium. What you saying is still they need to be licensed with a Premium license right?

    February 24, 2020 at 5:49 pm
    • Alex Reply

      That’s right, to use a custom (non-gallery) app, requires AAD Premium P1. Similarly to benefit from any other features particular to that SKU, for instance more than 10 connected apps, dynamic group membership, etc.

      February 25, 2020 at 9:54 am

Leave a Reply

Back to Blog

Related Posts

16Jul

How to bundle even more security into your Office 365 subscription

In a previous post, I covered some of the most common SKU's that are frequently purchased by small businesses, who are migrating to the Office 365 platform. In a nutshell, by FAR the most common of those are Office 365 Business Premium and Office 365... read more
14May

Introducing the Microsoft Office 365 Email Security Checklist

Update March 2023: This project morphed into the Microsoft 365 Best Practices Checklists, which includes a checklist and guide for each of the major services in Microsoft 365. You can get the product here. Okay. I think I have had enough. Enough of what? Enough of... read more
12Dec

Adding Hybrid Exchange in retrospect (post-migration)

Sometimes organizations that have already migrated email to Office 365 using a third party tool or a cutover method would like to "go hybrid" and install Azure AD Connect after the fact. Usually the driving factors here are password sync and Single Sign-On with... read more
05Oct

Tutorial: How to setup and configure Microsoft Azure Backup Server, part 1: installation

Microsoft Azure Backup comes in two basic flavors: Microsoft Azure Recovery Services Agent (MARS) Microsoft Azure Backup Server (MABS) Both are free downloads from Microsoft, and both allow you to configure backup from on-premises servers to the Microsoft Azure cloud. Whereas the MARS agent is installed... read more
Turn your MFA up to 11
09Dec

But have you turned multifactor authentication ALL the way on?

Do you remember just a short time ago, Microsoft would claim that switching on Multi-factor Authentication (MFA) prevents 99.9% of identity-based attacks? Well, the times they are a-changin. I do not know what they would report today for a percentage of attacks which are thwarted... read more
21Apr

Should I Supercharge Office 365 with the Enterprise Mobility Suite?

Hello! Now that I have amassed a few different posts that outline differences between Microsoft's Enterprise Mobility Suite (EMS) and the built-in features that are included with certain Office 365 plans, I thought it would be nice to summarize our findings in one place.  If you are having... read more
27Aug

How to configure Advanced Threat Protection (ATP) part 3: safe links

This will be our last post in this series on Advanced Threat Protection (ATP). We have previously covered anti-phishing policies and safe attachments. Now we will consider safe links. Safe links are basically just taking hyperlinks which exist in Exchange email messages or other content in... read more
05Sep

Tutorial: How-to Setup Azure Site Recovery using Windows Server Essentials, Part 1: Pre-requisites

Windows Server Essentials (or the Essentials Experience role) can be leveraged to quickly provision and enable a full Disaster Recovery site in the cloud using built-in Azure integration features. The solution is composed of two Azure products: Azure Virtual Network and Azure Site Recovery. I have... read more
21Jan

How-to Complete your Office 365 Setup and Exchange E-Mail Migration

When setting up a new Office 365 tenancy or migrating from an on-premises or hosted Email system to Office 365, one last step will be to add all the necessary DNS records to your DNS zone file, and then make the appropriate changes to your... read more
21Oct

No more excuses: 5 Tips & tricks to make Office 365 MFA easier on people

As I'm sure you are aware by now, Multi-factor Authentication reduces your risk of identity compromise by 99.9%. Requiring so called "strong passwords," by contrast, doesn't make that much difference at the end of the day. And yet, we're still beneath 10% of even just... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me