Jul 30 2018
- last edited on
Jan 14 2022
In our development environments we're creating a new "Enterprise Application" in Azure and deploying it to Tenant applications via Principle Objects that tenant administrators authorize through an OAuth2 admin consent link (e.g. https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=APP_CLIENT_ID...).
So right now we've got a multi-tenanted application created under the OUR_DEV_TENANT that we test-deploy as Principle objects in other tenants (CLIENT_1_TENANT,CLIENT_2_TENANT).
Where I'm confused is where I create the "production" version of this multi-tenanted enterprise application we wish to deploy to our production clients?
Jul 30 2018 11:46 PM
You can deploy the production version of the application in your own production tenant and all of your clients will add an instance of this application in their production tenant. (Likewise the SAAS infra works)
You will have the entire control of the application.
None of the customer will allow the data to be shared with some other organization.
If you will have the application added in your own tenant administering and the controlling the application will be way much easier.
Jul 31 2018 03:24 AM
Thank you for the response. I just had a few followup questions if that's OK.
Our application is created as a non-gallery enterprise application which requires which requires an "Azure AD Premium P2" subscription level.
Jul 31 2018 10:19 PM
It will be the your client/customer which will need premium license.
Since adding a non-gallery app should be available on their tenant.
If by any chance you are planning to get your app published in gallery check the below mentioned link,
Aug 01 2018 05:36 AM
So, do we only need the "AD Premium" licence in our tenant to create the application (so that it has Provisioning / Single Sign On tabs). Do we need to maintain the premium licence after the applications are created?
Aug 01 2018 11:21 AM - edited Aug 01 2018 11:22 AM
I don't think you need a premium license.
Lets understand this step by step:-
Being an application provider you can either use Azure or you can use any other cloud solution provider or you can also host your application in your enterprise data center.
You will publish this application as per your LOB defined for different clients.
Now you want to make this applicaiton available in azure.
For that you can simply add this application in your tenant as multi-tenant application.
Click the below mentioned article to check how multi-tenant application works.
Now let's say one of your customer wants to use your application (provided that your application can handle SSO).
Then with respect to the instance of your application that you have created for your customer. (like specific endpoints/uri's).
Your customer will choose the option of non-gallery application for which they need to have a premium license.
Note:- You can be any idependent application provider, all azure AD needs is a federation trust that can be established.
Aug 01 2018 12:20 PM
Yes, we are a SASS service that hosts the application. We've just completed our integration with Azure SSO via Saml2.
We don't want to have to walk our clients through setting up a non-gallery application - e.g. configuring all the SSO information / adding the permissions etc.
We're just going to have them install an instance of our preconfigured application into their tenant using admin consent.
If I understand you correctly, the only way to get around not having a premium licence of our own is to have our clients configure their own non-gallery application every time we on board one?
Aug 01 2018 10:22 PM
Yes, your customers/clients who will use the non-gallery application option they need to have premium license.