Entra ID integration for SSO and API access control

The integration of Entra ID for setting up Single Sign-On (SSO) with applications like Salesforce is a process for centralizing user access from third-party applications with authentication via Entra ID.

The process begins in the Entra Admin Center under “Enterprise Applications,” where a new application is added. If the desired application is not available, a custom app can be created. In the case of Salesforce, the SSO configuration involves entering specific URLs such as the Identifier URL and the Assertion Consumer Service URL, which are provided by Salesforce. This method can also be used to integrate other third-party applications.

Adding Applications and User Groups in Entra ID for Single Sign-On

The integration of applications and user groups in Entra ID for setting up Single Sign-On (SSO) enables centralized management of enterprise applications. Through the Entra Admin Center, enterprise applications can be set up for SSO. Both cloud-based and on-premises applications can be integrated.

By utilizing Entra ID, authentication mechanisms such as SAML and OAuth can be configured. Once an application is added, users and groups can be assigned. Administrators can be designated as owners to manage the applications. By selecting the appropriate authentication mode, user access can be customized, including the ability to be automatically logged in via SSO.

Enterprise Applications vs App Registrations in Entra ID

Functions and Differences

External services or Software-as-a-Service applications (SaaS) that are integrated into a tenant are referred to as Enterprise Applications. These applications utilize Service Principals to manage permissions for users or groups in the tenant. Administrators can precisely control who has access to which Enterprise Application. This is managed through the Entra Admin Center, where applications from the Microsoft catalog can be selected or custom applications can be added. The integration often includes configuring Single Sign-On (SSO) using authentication protocols such as SAML or OAuth and assigning users and roles.

App Registrations, on the other hand, are used when developing a custom application that needs to be connected to Entra ID. An App Registration generates a unique Application ID that serves as the identifier for the application. This registration allows the application to communicate with Entra ID’s authentication services. Developers are provided with a framework through the App Registration to use APIs and define permissions for their applications. The App Registration thus serves as the foundation for implementing security protocols such as OpenID Connect or OAuth 2.0, which manage user authentication through Entra ID.

The main difference between the two concepts is that Enterprise Applications are used to manage access and permissions for end-users on existing applications, while App Registrations are designed for integrating and managing custom-developed applications. The App Registration represents the developer’s part of the integration, while the Enterprise Application manages user access and authorization within the tenant. Both concepts work closely together, as each App Registration automatically generates a corresponding Enterprise Application to support user access management.

Example

For example, if a company wants to use the Dropbox for Business service in its tenant, it is integrated as an Enterprise Application. The administrator configures the access, manages the permissions for the users, and sets up SSO. However, if the company develops its own time-tracking software that also needs to be connected to Entra ID, an App Registration is created for this purpose. This allows the application to handle user authentication through Entra ID without the need to develop additional authentication mechanisms within the application. This way, the App Registration complements the Enterprise Application by providing a clear separation between end-user management and application development.

Security Aspects of Using Certificates and Secrets in App Registrations

In the Entra ID Integration via App Registrations, managing certificates and secrets plays a central role. Both mechanisms serve the purpose of authenticating services and APIs to ensure trustworthy communication.

Secrets

Secrets are simple text data that can be easily compromised, for example, through accidental sharing. They are used in combination with the Client ID and Tenant ID to access APIs like Microsoft Graph.

Certificates

A more secure alternative to secrets is certificates. They require managing a private key and are more difficult to handle, but they offer a higher level of security. Certificates are often stored in secure environments such as Azure Key Vault.

Federated Credentials

In addition to these traditional methods, the Entra ID Integration also offers Federated Credentials. DevOps pipelines like GitHub Actions and Azure DevOps use this method to replace secrets and certificates with a trust relationship between the application and the OpenID Connect (OIDC) provider. It reduces the need for regular secret updates and eliminates the risk of expiring certificates or secrets.

Nuances of Configuring App Registrations and Enterprise Applications

A commonly misunderstood aspect of using App Registrations and Enterprise Applications in the Entra ID Integration lies in the granular configuration options of both concepts. App Registrations form the technical definition of an application, while configuration goes beyond this.

Authentication Mechanisms and Permissions

Administrators must decide which authentication mechanisms (e.g., SAML, OAuth) and permissions to use. For multi-tenant applications that provide access to multiple organizations, this decision is particularly important.

Security and Management

App registrations offer various authentication methods, such as OAuth 2.0 and OpenID Connect, and the use of certificates or secrets. Certificates are more secure as they are harder to compromise and are often managed in secure storage locations like Azure Key Vault.

Example: OAuth 2.0 Client Credentials

A typical example is the use of OAuth 2.0 Client Credentials in automated processes without user interaction. Applications can access resources without a user being actively logged in, ideal for background processes such as user data synchronization.

Enterprise Applications and Service Principals

Enterprise Applications focus on managing the Service Principals that exist in each tenant as an instance of the underlying app registration. This management includes assigning users and groups and configuring permissions.

Multi-Tenant Environments

In multi-tenant environments, an Enterprise Application can exist in multiple tenants, while the app registration is centrally managed in one tenant. Admin consent flows allow precise control over access rights.

Federated Credentials

A secure authentication method is federated credentials that directly integrate OIDC providers like GitHub Actions. This method is especially useful in DevOps environments as it allows for secure automated deployments without expiring credentials.

Manifest File

The manifest file of an app registration contains all configuration information and allows changes in the JSON structure. This provides flexibility and control, especially in complex multi-tenant scenarios.

App registrations and Enterprise Applications should not be viewed in isolation. Their collaboration forms the foundation for secure and efficient management of applications in the Entra ID Integration.

Conclusion

The Entra ID integration of applications and user groups enables companies to centrally and efficiently manage user access. Features such as Single Sign-On (SSO) and modern authentication protocols like SAML and OAuth enhance security and reduce administrative effort.

The distinction between App Registrations and Enterprise Applications illustrates the clear separation of development and management tasks, which supports both developers and administrators.

By using modern security methods such as certificates or federated credentials, the IT infrastructure becomes more flexible and future-proof.