Assigning/Removing users
To manage application access to users, proceed with the following steps:
-
Click USERS under the application in the Azure management portal.
Important note If you have enabled the Basic or the Premium editions of Azure AD, click USERS AND GROUPS instead. For more information, see the Microsoft TechNet article Azure Active Directory Editions199.
Users can be created directly on Azure AD or originated from the on-premises AD that is synced to Azure AD. (See section § Synchronizing your directory with Active Directory on-premises earlier in this document.)
-
Select the right users and use the ASSIGN button at the bottom to grant access. (Conversely, use the REMOVE ASSIGNMENT button to remove access).
Important note If you have enabled the Azure Active Directory Premium, next to SHOW, select All Users in the drop-down list.
Then click the check mark icon. You can then proceed as instructed is step 2.
Note With a pre-integrated SaaS application configured with password single sign-on, such as the Skype application hereafter, you can directly configure the user’s credentials (username and password) for this application. For that purpose, select I want to enter Skype credentials on behalf the user while enabling access (or through the EDIT ACCOUNT button after the access has been enabled).
If you choose not to do this, the user will need (and be able) to enter their own credential through the Azure AD Access Panel. The users can only see in the Access Panel the applications the administrator has granted them access.
Note The above capability can be leveraged for shared organization’s accounts to be used with some pre-integrated SaaS applications. In such a context, and more specifically for the pre-integrated Facebook, Twitter, and LinkedIn applications, you will have the ability to enable an automatic password rollover. For that purpose, select in addition I want to enable an automatic password rollover.
After clicking the check mark icon, you will be then provided with the ability to configure the password rollover.
You can select the frequency at which Azure AD will sign into the application and rollover the password for the provided account. During each rollover, the password is updated using a randomly-generated 16-character strong password.
For more information, see the blog posts Azure Active Directory's support for managing shared company accounts for Twitter, Facebook and more200 and Azure AD automated password roll-over for Facebook, Twitter and LinkedIn now in preview!201.
A browser based end-user Azure AD Access Panel, My Apps mobile applications, or Azure AD single sign-on links make it easy for users to find and then launch with a single sign-on experience applications that are assigned to them (See section § Empowering users later in this document).
Using groups to control access
A group is a collection of users and groups that can be managed as a single unit. Users and groups that belong to a particular group are referred to as group members.
As with Active Directory on-premises, using groups in Azure AD can simplify administration by assigning a common set of permissions and rights to many accounts at once, rather than assigning permissions and rights to each account individually. Groups can be created directly on Azure AD or originated from the on-premises AD that is synced to Azure AD. (See section § Synchronizing your directory with Active Directory on-premises earlier in this document.)
Note For more information, see the article Managing access to resources with Azure Active Directory groups202.
To use groups in lieu of users to control access to SaaS applications, proceed with the following steps:
-
Click USERS AND GROUPS under the application in the Azure management portal.
Important note This feature is only available when you enable Azure Active Directory Premium. For more information, see the Microsoft TechNet article Azure Active Directory Editions203.
-
Next to SHOW, select Groups in the drop-down list. Next to STARTING WITH, optionally specify the first characters of the name of the group, and, then click the check mark icon.
-
Select the right groups and use the ASSIGN button at the bottom to grant access. (Conversely, use the REMOVE ASSIGNMENT button to remove access). A confirmation dialog brings up at the tray in the bottom.
-
Click YES to confirm the operation.
Share with your friends: |