Enterprise Application Settings and Configuration

Enterprise Application Settings and Configuration (SC-300)

Enterprise Application Settings and Configuration

Why Is This Important?
Enterprise applications in Microsoft Entra ID (formerly Azure AD) are a cornerstone of identity and access management in modern organizations. Every time a user signs in to a SaaS application, accesses an API, or uses an internal line-of-business app, an enterprise application (service principal) is involved. Properly configuring enterprise application settings is critical because:

- Security: Misconfigured enterprise apps can lead to unauthorized access, data leakage, or privilege escalation.
- Compliance: Organizations must control which applications users can access and what data those applications can consume, especially under regulations like GDPR, HIPAA, and SOC 2.
- Governance: Administrators need visibility and control over which applications exist in the tenant, who can consent to them, and what permissions they hold.
- User Experience: Proper configuration ensures seamless single sign-on (SSO), correct user assignments, and appropriate conditional access policies.

For the SC-300 (Microsoft Identity and Access Administrator) exam, understanding enterprise application settings is essential because a significant portion of the exam focuses on planning and implementing workload identities, managing application access, and governing application permissions.

What Is an Enterprise Application?
In Microsoft Entra ID, an enterprise application is essentially the local representation (service principal) of an application within your tenant. When an application is registered (either in your tenant or in another tenant), a service principal object is created in your directory. This object defines what the application can actually do in your specific tenant, who can access it, and what resources it can reach.

There are several types of enterprise applications:
- Gallery applications: Pre-integrated apps from the Microsoft Entra application gallery (e.g., Salesforce, ServiceNow, Zoom).
- Non-gallery applications: Custom apps that are not in the gallery but can be manually integrated.
- On-premises applications: Apps published through Microsoft Entra Application Proxy.
- Microsoft applications: First-party Microsoft services like Office 365, Azure Portal, etc.
- Applications you develop: Custom-built apps registered via App Registrations.

Key Enterprise Application Settings and How They Work

1. Properties
The Properties blade allows you to configure fundamental settings:
- Enabled for users to sign in: When set to Yes, users assigned to the app can sign in. Setting to No effectively disables the application without deleting it.
- User assignment required: When set to Yes, only users and groups explicitly assigned to the application can access it. When set to No, all users in the tenant can access the application. This is a critical security setting and a frequently tested exam topic.
- Visible to users: Controls whether the app appears on the My Apps portal (myapps.microsoft.com). Setting this to No hides the app from the portal but does not prevent access if the user has the direct URL.
- Logo and Name: Branding elements for user recognition.

2. Users and Groups Assignment
This section controls who can access the application:
- You can assign individual users, security groups, or both.
- When User assignment required is set to Yes, only assigned users/groups can access the app.
- You can also assign specific app roles to users and groups, enabling role-based access control (RBAC) within the application.
- Group-based assignment is a best practice for scalability and governance.

3. Single Sign-On (SSO) Configuration
Enterprise apps support multiple SSO methods:
- SAML-based SSO: Configure SAML assertions, entity IDs, reply URLs, signing certificates, and claim mappings. You upload or configure metadata to establish trust between Microsoft Entra ID and the application.
- OpenID Connect / OAuth: Used primarily with app registrations. The SSO is configured via redirect URIs and token configuration.
- Password-based SSO: Microsoft Entra ID stores and auto-fills credentials. Useful for legacy apps that do not support federation.
- Linked SSO: Simply provides a link to the application on the My Apps portal without performing actual SSO.
- Disabled: No SSO is configured.

4. Permissions and Consent
This is one of the most important and most tested areas:
- Delegated permissions: Permissions that the app uses on behalf of the signed-in user. The app can never do more than the user themselves can do.
- Application permissions: Permissions that the app uses as itself (without a signed-in user). These are often high-privilege and require admin consent.
- Admin consent: An administrator grants permissions on behalf of the entire organization. Once admin consent is granted, users are not prompted for consent individually.
- User consent: Users can grant permissions to apps themselves, but this can be restricted through tenant-wide consent settings.
- Consent settings (tenant-wide): Found under Enterprise applications > Consent and permissions, admins can configure whether users can consent to apps, and under what conditions. Options include:
  - Allow user consent for apps from verified publishers for selected permissions
  - Do not allow user consent (all consent requires admin approval)
  - Allow user consent for all apps (least restrictive, not recommended)
- Permission classifications: Admins can classify permissions as low risk, enabling users to consent to those specific permissions while blocking consent for others.
- Admin consent workflow: When enabled, users can request admin consent for apps they cannot consent to themselves. Admins receive notifications and can approve or deny requests.

5. Conditional Access
You can apply Conditional Access policies to enterprise applications:
- Target specific enterprise apps as cloud apps in a Conditional Access policy.
- Enforce MFA, device compliance, location restrictions, session controls, and more.
- This ensures that even if a user is assigned to an app, they must meet additional security requirements to access it.

6. Provisioning (User Provisioning and Deprovisioning)
- Automatic provisioning (SCIM): Microsoft Entra ID can automatically create, update, and delete user accounts in SaaS applications using the SCIM protocol.
- Attribute mappings: Define how user attributes in Entra ID map to attributes in the target application.
- Scoping filters: Determine which users are in scope for provisioning based on attribute values.
- Provisioning modes: Automatic (continuous sync) or Manual (on-demand).
- Provisioning logs: Audit who was provisioned, what changed, and any errors.

7. Self-Service
- Self-service application access: Allows users to request access to an application from the My Apps portal without IT intervention.
- You can specify approvers and a group to which approved users are added.
- Requires assignment to be enabled for the application.

8. Token Configuration and Claims
While claims and token configuration are primarily managed under App Registrations, the enterprise application side reflects what is configured:
- Optional claims can be added to SAML tokens or ID/access tokens.
- Group claims can be configured to include security group memberships in tokens.
- Claims transformation rules can be applied for SAML SSO to map directory attributes to SAML assertion attributes.

9. Activity and Sign-in Logs
- Sign-in logs: View who signed in, when, from where, and whether sign-in succeeded or failed.
- Audit logs: Track administrative changes to the enterprise application, such as permission grants, assignment changes, and configuration updates.
- Usage & insights: Aggregated usage data for the application.

How It All Works Together
When a user attempts to access an enterprise application, the following sequence typically occurs:

1. The user navigates to the application or the My Apps portal.
2. Microsoft Entra ID checks if the application is enabled for sign-in.
3. If user assignment required is Yes, Entra ID verifies the user is assigned to the app (directly or via group).
4. Conditional Access policies targeting the app are evaluated. If the user does not meet the conditions (e.g., MFA, compliant device), access is blocked.
5. If consent is required and has not been granted, the user is prompted for consent (or redirected to the admin consent workflow if user consent is restricted).
6. SSO is performed using the configured method (SAML, OIDC, password-based, etc.).
7. The user gains access to the application with the appropriate role and permissions.

Tenant-Wide Application Settings
Under Enterprise applications > User settings, administrators can configure:
- Whether users can register applications (app registrations).
- Whether users can consent to applications accessing company data on their behalf.
- Whether users can add gallery apps to their My Apps portal.
- Whether the admin consent workflow is enabled.

These tenant-wide settings are extremely important for security and are commonly tested on the SC-300 exam.

---

Exam Tips: Answering Questions on Enterprise Application Settings and Configuration

1. Understand 'User Assignment Required'
This is one of the most frequently tested concepts. Remember:
- When set to Yes: Only assigned users/groups can access the app. Unassigned users get an error.
- When set to No: All users in the tenant can access the app. No assignment is needed.
- If a question asks how to restrict access to specific users, the answer almost always involves setting user assignment required to Yes and then assigning specific users or groups.

2. Know the Consent Framework Inside Out
- Understand the difference between delegated permissions and application permissions.
- Application permissions ALWAYS require admin consent.
- Delegated permissions may or may not require admin consent depending on the permission scope.
- Know how to configure admin consent workflow and permission classifications.
- If a question describes users being unable to consent to an app, consider whether user consent is disabled at the tenant level.

3. Differentiate Between App Registrations and Enterprise Applications
- App Registration = The application definition (global object, also called application object). This is where you define redirect URIs, certificates/secrets, API permissions, and token configuration.
- Enterprise Application = The service principal (local instance in your tenant). This is where you manage SSO configuration, user/group assignments, Conditional Access, provisioning, and consent for that specific tenant.
- Exam questions often test whether you know where to go to perform a specific task. For example, assigning users to an app is done in Enterprise Applications, not App Registrations.

4. SAML SSO Configuration Details
- Know the key SAML configuration elements: Identifier (Entity ID), Reply URL (Assertion Consumer Service URL), Sign-on URL, Relay State, and Logout URL.
- Understand the SAML Signing Certificate and how to manage certificate rollover.
- Know that you can configure custom claims in the SAML token, including group claims and claims based on directory attributes.
- If a question mentions SSO failing with a certificate error, think about certificate expiration and renewal.

5. Provisioning Questions
- Automatic provisioning uses SCIM 2.0.
- Know the concepts of attribute mappings and scoping filters.
- If a question says users are not being provisioned correctly, consider incorrect scoping filters or attribute mapping issues.
- Understand the provisioning cycle: initial cycle (full sync) vs. incremental cycle.

6. Conditional Access and Enterprise Apps
- Enterprise applications are targeted as cloud apps in Conditional Access policies.
- Know that you can target All cloud apps or specific apps.
- Some Microsoft apps have dependencies (e.g., Microsoft Teams depends on SharePoint Online and Exchange Online). Understand how this affects Conditional Access targeting.
- If a question asks about enforcing MFA for a specific application, the answer involves creating a Conditional Access policy targeting that enterprise app.

7. Visibility vs. Access
- Visible to users controls visibility on the My Apps portal ONLY. It does NOT control access.
- Enabled for users to sign in controls whether users can authenticate to the app at all.
- User assignment required controls who can access the app.
- Exam questions may try to confuse these settings. Read carefully.

8. Self-Service Application Access
- Know that self-service access requires a group to which approved users are added.
- Approvers can be specified to review access requests.
- This feature works with the My Apps portal.

9. Activity Monitoring
- Sign-in logs show authentication attempts and results.
- Audit logs show administrative changes.
- Provisioning logs show user provisioning activities.
- Know where each type of log is located and what information it provides.

10. Common Exam Scenarios
- Scenario: Users report they cannot access an application. → Check if the app is enabled for sign-in, if user assignment is required (and if the user is assigned), and if a Conditional Access policy is blocking access.
- Scenario: You need to allow a third-party app to read all users' mailboxes without user sign-in. → This requires application permissions with admin consent.
- Scenario: You want to ensure only compliant devices can access Salesforce. → Create a Conditional Access policy targeting the Salesforce enterprise app requiring device compliance.
- Scenario: Users are being prompted for consent to an app, and you want to prevent this. → Grant admin consent for the app, or restrict user consent at the tenant level and enable the admin consent workflow.

11. Key Decision Matrix for Exam Questions
Ask yourself these questions when answering:
- Is this a task for App Registrations or Enterprise Applications?
- Does the scenario involve delegated or application permissions?
- Is admin consent required, or can the user consent?
- Is the question about authentication (SSO) or authorization (permissions, assignments)?
- Does the question involve user access or application access (workload identity)?

12. Remember the Principle of Least Privilege
Microsoft exam questions almost always favor the answer that provides the least privilege necessary to accomplish the task. If two options both solve the problem but one grants broader access, choose the more restrictive option.

By mastering these enterprise application settings and understanding how they interrelate, you will be well-prepared to answer SC-300 exam questions on this topic confidently and accurately.