Enterprise Mobility and Security Blog

RSS

Howdy folks,

Next up in our news for TechEd Europe are two cool new capabilities in our app access panel.

One of the things many of our larger customers care about is providing a customized employee experience when accessing and signing into SaaS applications. Previously I wrote about how you can customize the text and branding that appear on the Azure Active Directory sign in page and in the end user's application access panel. Today I'd like to tell you about to two news features that extend and enhance these customization capabilities:

  • Organization-specific URLs
  • Direct single sign-on links to applications.

Organization-specific URLs for the access panel

Today, any user with an account hosted in Azure Active Directory can sign into their access panel at https://myapps.microsoft.com to view and launch applications that have been assigned to them by their administrator, plus any applications that they have consented to. By default, the user will see the Azure Active Directory branded sign-in page the first time they sign into the access panel.

Now you can have your organization's branding loaded by default on first time access, by simply appending one of the active or verified domain names configured for your directory to the end of the URL. Here is an example:

https://myapps.microsoft.com/contosobuild.com

When a user accesses this URL, they will see their organization's branding upon first load without needing to enter their user ID first:

In the URL, any active or verified domain name that has been configured under the Domains tab of your directory in the Azure management portal may be used, as illustrated in the screenshot below.

To get started configuring branding for your directory, please check out this TechNet article.

Direct single sign-on links to applications

Another way that Azure Active Directory provides flexibility on how users can access their applications is by supporting direct single sign-on links to applications.

Many applications that support federated single sign-on with Azure Active Directory already support the ability for users to sign in directly at the application without first loading the access panel (also known as service provider initiated single sign on). I talked about these applications in a previous blog post about federated application support. However, applications that are configured to user an alternate sign-in method, such as password-based single sign-on, must still be launched from the access panel… that is, this was required until now!

We now support direct single sign-on links to individual applications, which are specifically-crafted URLs that send a user through the Azure AD sign in process for a specific application without requiring the user to load the access panel at https://myapps.microsoft.com. These Single Sign-On URLs can be found under the Dashboard tab of any pre-integrated application in the Active Directory section of the Azure management portal, as shown in the screenshot below.

These links can be copied and pasted anywhere you want to provide a sign-in link to the selected application. This could be in an email, or in any custom web-based portal that you have set up for user application access. Here's an example of an Azure AD direct single sign-on URL for Twitter:

https://myapps.microsoft.com/signin/Twitter/230848d52c8745d4b05a60d29a40fced

Similar to organization-specific URLs for the access panel, you can further customize this URL by adding one of the active or verified domains for your directory after the myapps.microsoft.com domain. This ensures any organizational branding is loaded immediately on the sign-in page without the user needing to enter their user ID first:

https://myapps.microsoft.com/contosobuild.com/signin/Twitter/230848d52c8745d4b05a60d29a40fced

When an authorized user clicks on one of these application-specific links, they first see their organizational sign-in page (assuming they are not already signed in), and after sign-in are redirected to their app without stopping at the access panel first. If the user is missing pre-requisites to access the application, such as the password-based single sign browser extension, then the link will prompt the user to install the missing extension. The link URL also remains constant if the single sign-on configuration for the application changes.

These links use the same access control mechanisms as the access panel, and only those users or groups who have been assigned to the application in the Azure management portal will be able to successfully authenticate. However, any user who is unauthorized will see a message explaining that they have not been granted access, and are given a link to load the access panel to view available applications for which they do have access.

So if you've been looking for a way to customize your application access experiences and give users direct access to specific applications, please try these features and let us know what you think!

And as always, we'd love to hear any feedback or suggestions you have!

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of PM

Microsoft Identity and Security Services Division