Enabling SSO for Apps in a Hybrid Infrastructure
As you plan for business applications to be registered to utilize Azure AD for SSO, it is important to understand the reason for going through these steps. The first reason is that SSO creates a better experience for users by requesting a single username and password for authentication.
The second is to decrease the infrastructure that is required for authentication to applications that are on-premises. If we can register our on-premises applications to Azure AD with an application proxy, we no longer require a Windows Active Directory infrastructure on-premises.
The third reason is security. If we have our applications registered with Azure AD, including on-premises and third-party cloud applications, we can utilize the security solutions within Azure AD for authentication and authorization to all enterprise applications. This includes MFA, SSO, SSPR, Azure AD Identity Protection, and Azure AD Conditional Access policies.
We can plan this strategy using Cloud App Security discovery and Application Usage and Insights. Both planning and discovery options were discussed earlier in this chapter.
For the steps to register third party cloud applications to Azure AD, see this tutorial link: https://docs.microsoft.com/en-us/powerapps/developer/data-platform/walkthrough-register-app-azure-active-directory.
Let us consider our application strategy as securing the applications and determining who can grant consent to applications. This can be accessed in the Enterprise applications menu under Security – Consent and Permissions.
The configuration of these permissions is important to have the proper levels of security and governance over your applications. If your applications include sensitive information, then allowing users to grant application access could lead to a security vulnerability. Proper planning and strategy would be required to determine the level of governance required for application permissions.
Once you have configured your various applications and permissions for Azure AD, you now have an SSO structure for users to access a line of business applications in a hybrid infrastructure.