L10. Enterprise Apps: SSO, Provisioning and Consent
Video generating
Check back soon for the video lesson on Enterprise Apps: SSO, Provisioning and Consent
Configure enterprise application integration for the SC-300: set up single sign-on with SAML and OIDC, configure automatic user provisioning with SCIM, manage consent permissions, and control user assignment requirements for applications.
Enterprise Applications Overview
Enterprise applications in Entra ID represent the service principals in your tenant. This is where you manage how users interact with applications: who can access them, how they sign in, and how user accounts are provisioned.
Navigate to: Entra admin center > Enterprise applications
Single Sign-On Methods
| SSO Method | Protocol | Use Case |
|---|---|---|
| SAML | SAML 2.0 | Legacy enterprise apps, SaaS apps |
| OpenID Connect | OIDC/OAuth 2.0 | Modern apps, SPAs, mobile apps |
| Password-based | Form fill | Apps without federation support |
| Linked | N/A | Just a link in My Apps portal |
| Header-based | HTTP headers | Legacy apps via Application Proxy |
SAML SSO Configuration
Key SAML configuration parameters:
- Identifier (Entity ID): Unique identifier for the app (usually a URL)
- Reply URL (ACS URL): Where Entra ID sends the SAML assertion after authentication
- Sign-on URL: The app's login page
- Relay state: Where to redirect after SSO
- Signing certificate: Entra ID signs SAML assertions with this certificate
Claims Configuration
SAML assertions contain claims (attributes) about the user. You can customize which claims are sent and their values:
- Default claims include: NameID, email, first name, last name
- Custom claims can map to any user attribute or use transformation rules
- Group claims can include security group membership
User Assignment
The User assignment required toggle controls whether all users can access the app or only assigned users/groups:
- Yes: Only users/groups explicitly assigned can access the app
- No: All users in the tenant can access the app
Automatic User Provisioning (SCIM)
SCIM (System for Cross-domain Identity Management) automates user lifecycle management between Entra ID and SaaS applications:
- Create: When a user is assigned to the app, an account is provisioned
- Update: Attribute changes in Entra ID are synced to the app
- Disable/Delete: When a user is unassigned, their app account is disabled or deleted
Provisioning configuration:
- Attribute mappings: Map Entra ID attributes to app attributes
- Scoping filters: Define which users are in scope for provisioning
- Provisioning mode: Manual (on-demand) or Automatic (scheduled every 40 minutes)
Consent Permissions Review
Under enterprise applications, you can review which permissions each app has been granted:
- Permissions granted to the app: API permissions with admin consent status
- Permissions granted by users: Delegated permissions individual users have consented to
Regularly reviewing these permissions is a security best practice to identify over-privileged applications.
My Apps Portal
The My Apps portal (https://myapps.microsoft.com) provides users with a launch pad for their assigned applications. You can organize apps into collections for better user experience.
- ✓SAML Entity ID must be unique across all enterprise apps in your tenant: duplicates cause errors
- ✓User assignment required = Yes means only assigned users/groups can access the app (AADSTS50105 error otherwise)
- ✓SCIM provisioning cycles run every 40 minutes by default; initial cycle is longer than incremental cycles
- ✓SAML, OIDC, password-based, linked, and header-based are the five SSO methods available
- ✓Attribute mappings in SCIM provisioning control which Entra ID attributes sync to the target application
1. A user receives error AADSTS50105 when trying to access an enterprise application. What is the cause?
2. How often does the automatic SCIM provisioning cycle run by default?
3. Which SSO method should be configured for a legacy on-premises web application that reads identity from HTTP headers?