Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure AD - Enterprise Application - Where to deploy?

Copper Contributor

In our development environments we're creating a new "Enterprise Application" in Azure and deploying it to Tenant applications via Principle Objects that tenant administrators authorize through an OAuth2 admin consent link (e.g. https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=APP_CLIENT_ID...).

 

So right now we've got a multi-tenanted application created under the OUR_DEV_TENANT that we test-deploy as Principle objects in other tenants (CLIENT_1_TENANT,CLIENT_2_TENANT).

Where I'm confused is where I create the "production" version of this multi-tenanted enterprise application we wish to deploy to our production clients?

7 Replies

Hello Butch,

 

You can deploy the production version of the application in your own production tenant and all of your clients will add an instance of this application in their production tenant. (Likewise the SAAS infra works)

Benefits :-

You will have the entire control of the application. 

None of the customer will allow the data to be shared with some other organization.

If you will have the application added in your own tenant administering and the controlling the application will be way much easier.

 

Thanks,

Rishabh

 

Hi Rishabh,

 

Thank you for the response.  I just had a few followup questions if that's OK.

 

Our application is created as a non-gallery enterprise application which requires which requires an "Azure AD Premium P2" subscription level.

 

  1. When deploying this application into client tenants will they also require this subscription level in order to utilise the application?
  2. When clients install the application the  $9 user/month cost is the host tenants installation cost, not ours?

Hello Butch,

 

It will be the your client/customer which will need premium license. 

Since adding a non-gallery app should be available on their tenant.

 

If by any chance you are planning to get your app published in gallery check the below mentioned link, 

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-app-gallery-listing

 

Regards,

Rishabh

Great info!

 

So, do we only need the "AD Premium" licence in our tenant to create the application (so that it has Provisioning / Single Sign On tabs).  Do we need to maintain the premium licence after the applications are created?

 

 

premium_required.png

I don't think you need a premium license.

Lets understand this step by step:-

Being an application provider you can either use Azure or you can use any other cloud solution provider or you can also host your application in your enterprise data center.

You will publish this application as per your LOB defined for different clients.

Now you want to make this applicaiton available in azure.

For that you can simply add this application in your tenant as multi-tenant application.
Click the below mentioned article to check how multi-tenant application works.

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tena...

 

Now let's say one of your customer wants to use your application (provided that your application can handle SSO).
Then with respect to the instance of your application that you have created for your customer. (like specific endpoints/uri's).

Your customer will choose the option of non-gallery application for which they need to have a premium license.

Note:- You can be any idependent application provider, all azure AD needs is a federation trust that can be established.

Regards,
Rishabh

Yes, we are a SASS service that hosts the application.  We've just completed our integration with Azure SSO via Saml2.

 

We don't want to have to walk our clients through setting up a non-gallery application - e.g. configuring all the SSO information / adding the permissions etc. 

 

We're just going to have them install an instance of our preconfigured application into their tenant using admin consent

 

If I understand you correctly, the only way to get around not having a premium licence of our own is to have our clients configure their own non-gallery application every time we on board one?

 

 

 

 

 

Yes, your customers/clients who will use the non-gallery application option they need to have premium license. 

 

Regards,

Rishabh