Complete Guide to Azure Enterprise Applications Setup and Governance

Author

Reads 841

Female Software Engineer Coding on Computer
Credit: pexels.com, Female Software Engineer Coding on Computer

Setting up and governing Azure Enterprise Applications requires a strategic approach to ensure seamless integration and management of your organization's cloud-based systems. This involves defining roles and permissions to control access to sensitive data.

To begin, you'll need to create an Azure Enterprise Application, which can be done through the Azure portal. This will provide a centralized hub for managing your organization's cloud-based applications.

Having a clear understanding of your organization's needs and goals is crucial when setting up Azure Enterprise Applications. This will help you determine the types of applications you need to integrate and the level of access required.

By following a structured approach, you can ensure that your Azure Enterprise Applications are properly configured and governed, reducing the risk of security breaches and improving overall system efficiency.

Registration

Registration is the first step in setting up an Azure Enterprise Application. To register an application, you must create an app registration in the Azure portal. This will assign an RBAC role to the app registration.

Credit: youtube.com, Azure AD App Registrations, Enterprise Apps and Service Principals

The Azure portal is where you'll create an app registration. To do this, log into the Azure portal, click the search bar, and then click Azure Active Directory. On the left panel, under Manage, click App registrations. Click + New registration, and enter a name. Click Register.

You'll need to copy the Application (client) ID and the Directory (tenant) ID to a text editor for later. You can also create a custom RBAC role either in the Azure portal or through a command line interface (CLI), but not both.

An application registration is the definition of the application, as an application object, in Entra ID. It explains to Entra ID what the application wants, such as permissions for certain APIs, as well as where and how the application resides.

The organization has procured an application that they need to integrate into Entra ID. The application may be either a SaaS application or a piece of software run in an IaaS or PaaS environment, or on-prem. An application definition, at its core, is the application manifest.

Here are the key differences between an application registration and an enterprise application:

Every app registration will have at least one service principal, which is created in the home tenant that the app registration was created in. A service principal is a concrete instance created from the application object and inherits certain properties from that application object.

Understanding Principals

Credit: youtube.com, What is Azure Service Principal? Why do we need it and how to create it? | Azure

A security principal is an entity that requires access to resources secured by a Microsoft Entra tenant, and it must be represented by a service principal. This requirement applies to both users (user principal) and applications (service principal).

There are three types of service principals: Application, Managed Identity, and Legacy. An Application service principal is a local representation of a global application object in a single tenant or directory, and it defines what the app can do in that specific tenant.

A Managed Identity service principal represents a managed identity, which eliminates the need for developers to manage credentials. It provides an identity for applications to use when connecting to resources that support Microsoft Entra authentication.

A Legacy service principal represents a legacy app, which is an app created before app registrations were introduced or an app created through legacy experiences. Legacy service principals can have credentials and other properties that an authorized user can edit.

Credit: youtube.com, 01 Azure Active Directory Service Principals Explained

The Microsoft Graph ServicePrincipal entity defines the schema for a service principal object's properties. You can use the Enterprise applications page in the Microsoft Entra admin center to list and manage service principals in a tenant.

Here are the three types of service principals in Entra ID:

  • Enterprise applications
  • Managed identities
  • Legacy

Every app registration will have at least one service principal, which is created in the home tenant that the app registration was created in. A service principal is created in each tenant where the application is used, enabling it to establish an identity for sign-in and/or access to resources being secured by the tenant.

Granting Access

To grant access to an Azure Enterprise Application, you must create an app registration in the Azure portal. This is a crucial step that allows you to assign a role to the application, which in turn grants Alert Logic permission to monitor your environments.

You can create a custom RBAC role either in the Azure portal or through a command line interface (CLI), but not both. To create an app registration, log into the Azure portal, click the search bar, and then click Azure Active Directory. On the left panel, under Manage, click App registrations, and then click + New registration.

Credit: youtube.com, Azure AD - Enterprise Application Consent Settings

To grant permissions to access your Azure Key Vault, you must repeat these steps for each of your key vaults. In the Azure portal, click Key vaults, select a key vault from the list, and then on the left panel, click Access policies. Click + Add Access Policy, and then in the Key permissions field, select Get and List.

Here are the steps to repeat for each key vault:

  • Key vaults.
  • Select a key vault from the list, and then on the left panel, click Access policies.
  • Click + Add Access Policy.
  • In the Key permissions field, select Get and List.
  • In the Secret permissions field, select Get and List.
  • Click Select principal, and then from the list, select the app registration you created.
  • Click Add.

Grant Access

Granting access to your application is a crucial step in allowing users to interact with it. To do this, you must grant permissions to access Microsoft Graph in the Azure portal, which allows Alert Logic to perform CIS benchmark checks.

In the Azure portal, click Azure Active Directory, then App registrations, and select your app registration. On the left panel, click API permissions, and then click + Add a permission. On the Request API permissions blade, click Microsoft Graph, and then click Application permissions.

Credit: youtube.com, How to Grant access to Key Vault|| add access policy and principal|| Azure tutorial||SC300

You must also grant permissions to access Azure Key Vault in the Azure portal, which allows Alert Logic to perform CIS benchmark checks. This involves selecting a key vault from the list, clicking Access policies, and then clicking + Add Access Policy.

To grant permissions to access your key vault, you must add the Get and List permissions for both Key and Secret. Additionally, you must select the app registration you created and click Add. You must repeat these steps for each key vault in the list.

Here are the specific permissions you need to grant:

  • Get and List permissions for Key
  • Get and List permissions for Secret
  • Select principal (the app registration you created)

By following these steps, you can grant access to your application and allow users to interact with it. Remember to repeat the process for each key vault in your list.

Managing Access

Managing access to your Azure Enterprise Applications is crucial for security and compliance. You can grant permissions to access Microsoft Graph in the Azure portal, which allows Alert Logic to perform CIS benchmark checks.

Credit: youtube.com, Implement access management for apps|||How to Configure and Enterprise App||Azure AD gallery||SC300

To grant permissions, you must add the Microsoft Graph permission in the API permissions blade and select the necessary permissions, such as Application permissions.

You can also assign users and groups to an application using the Microsoft Entra admin center, Azure AD PowerShell, or Microsoft Graph PowerShell. This allows you to control who has access to your enterprise applications.

To assign users and groups, you must sign in to the Microsoft Entra admin center as a Cloud Application Administrator and browse to Identity > Applications > Enterprise applications > All applications. You can then select the application and add users and groups using the Add Assignment pane.

Here are the steps to assign users and groups using Microsoft Graph PowerShell:

  1. Open an elevated Windows PowerShell command prompt.
  2. Run Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "AppRoleAssignment.ReadWrite.All" and sign in as at least a Cloud Application Administrator.
  3. Get the user and the service principal using Get-MgUser and Get-MgServicePrincipal.
  4. Get the ID of the role assignment using Get-MgServicePrincipalAppRoleAssignedTo.
  5. Remove the AppRole assignment using Remove-MgServicePrincipalAppRoleAssignedTo.

Create Custom Role

To create a custom RBAC role, you must first create a role document, which can be done in the Azure portal or using the Azure command-line interface (CLI). You can use the Alert Logic template role document as a starting point.

Credit: youtube.com, Mastering Custom Roles In Microsoft 365 Defender: A Step-by-step Guide! | Peter Rising MVP

You can create a custom role in the Azure portal by clicking the search bar and selecting Subscriptions. From there, you can select your subscription and copy the Subscription ID to a text editor for later use. This will be needed to create the custom role.

To create a custom role in the Azure portal, you must follow these steps: In the Azure portal, click the search bar and click Subscriptions. Select your subscription, and copy the Subscription ID to a text editor for later. Click Access control (IAM), and then click + Add, and then click Add custom role. Click the JSON tab, and then click Edit. Delete everything in the window, and copy the text from the Alert Logic role document and paste it into the JSON window.

Alternatively, you can create a custom role using the Azure CLI. This can be done by making changes to the Alert Logic template role document, and then creating your role document in your command-line interface. You must ensure you have Azure PowerShell or Azure CLI 2.0 installed before you begin.

To create a custom role using the Azure CLI, you must follow these steps: Create a new text file and copy the Alert Logic role into it. Make the necessary changes to the file, and then save it as a JSON file. Open either Azure CLI 2.0 or Azure PowerShell, and log in to your Azure account, and then specify the default subscription. Create your custom role in Azure using the az role definition create command.

Credit: youtube.com, What are custom roles and how to create users|| Assign roles to users ||Azure Active Directory

Here are the steps to create a custom role using the Azure CLI:

Assign Role to Registration

Assigning a role to your registration is a crucial step in managing access. To do this, you must navigate to the Azure portal and click on the subscription you want Alert Logic to protect. You'll then need to click on Access control (IAM) and add a new role assignment.

You'll need to search for the RBAC role you created and click on View. Then, click on the Members tab and ensure the RBAC role is listed. If it's not, click on + Select members to find the role. Once you've confirmed the role is listed, click Review + assign to assign it to your registered app.

If you have multiple subscription IDs, you'll need to repeat this process for each subscription. This ensures that Alert Logic has the necessary permissions to monitor your environments.

Credit: youtube.com, How to Add a Default Role to a New User on First Login — Auth0 Support

Here's a quick summary of the steps:

Remember, assigning a role to your registration is a critical step in managing access. By following these steps, you'll ensure that Alert Logic has the necessary permissions to monitor your environments.

Remove All Assigned

Removing all assigned users and groups from an application is a crucial step in managing access.

You can use Azure AD PowerShell to remove all users who are assigned to the application. Use the following script to remove all users and groups assigned to the application.

In Microsoft Graph PowerShell, you can run the following command to remove all users and groups assigned to the application.

Unassigning users and groups from an application can be done in several ways, including using the Microsoft Graph API or Azure AD PowerShell.

To unassign all users and groups from the application, you can use the following query in Microsoft Graph Explorer. However, you need to delete each assignment individually.

Credit: youtube.com, How to assign or remove office 365 licenses from users

Here are the steps to unassign users and groups from an application using Microsoft Graph PowerShell:

1. Open an elevated Windows PowerShell command prompt.

2. Run Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "AppRoleAssignment.ReadWrite.All" and sign in as at least a Cloud Application Administrator.

3. Get the user and the service principal.

4. Get the ID of the role assignment.

5. Run the following command to show the list of users assigned to the application.

6. Run the following command to remove the AppRole assignment.

Removing all assigned users and groups from an application is an important part of managing access, and it's good to have options for doing so.

Frequently Asked Questions

What is an example of an Enterprise Application?

Examples of Enterprise Applications include CRM, ERP, accounting, project management tools, SCM, and HRM systems. These applications help businesses boost productivity and efficiency.

What is an Azure Enterprise app?

An Azure Enterprise app is an application identity within your Azure Active Directory (Azure AD) that can be assigned access to your directory. It's essentially an instance of an application that can act on your directory's behalf.

What is the difference between app and enterprise app?

App registration is a global definition of an application, while an enterprise app is a local instance within a specific tenant, managing permissions and policies. This distinction allows for tailored management and enforcement of permissions within a specific organization.

Elaine Block

Junior Assigning Editor

Elaine Block is a seasoned Assigning Editor with a keen eye for detail and a passion for storytelling. With a background in technology and a knack for understanding complex topics, she has successfully guided numerous articles to publication across various categories. Elaine's expertise spans a wide range of subjects, from cutting-edge tech solutions like Nextcloud Configuration to in-depth explorations of emerging trends and innovative ideas.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.