Domain 3 of 4 · Chapter 2 of 4

Enterprise Applications

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Certified: Identity and Access Administrator Associate premium course — no separate purchase.

Included in this chapter:

  • Enterprise app vs app registration: two objects
  • Single sign-on: choosing among five modes
  • Application Proxy for on-premises web apps
  • Assignment, app roles, and provisioning
  • Consent, collections, and exam patterns

Choosing an SSO mode for an enterprise application

SSO modeSAML-basedOIDC / OAuthPassword-basedLinked
How Entra signs inFederation: SAML 2.0/WS-Fed assertionFederation: OpenID Connect on OAuth 2.0Replays stored username/password into the app formNo sign-in; just a launch tile
Fits which appApp supports SAML/WS-FedApp registered for OIDC (often via App registrations)Legacy app with only a sign-in formApp whose SSO is configured elsewhere or being migrated
Conditional Access / MFAYesYesYes (Entra handles the front-door auth)No, Entra performs no SSO
Credential managementNo app password neededNo app password neededEntra stores and supplies the passwordN/A
Typical use caseModern gallery SaaSModern OAuth/OIDC apps and APIsForm-fill for apps without federationBookmark during a migration

Decision tree

Where is the app hosted?on-premises vs cloud (SaaS)Application Proxyoutbound connector, no inbound portsApp supports federation?SAML / WS-Fed / OIDCSAML or OIDC?how app federatesSAML-based SSOSAML 2.0 / WS-FedOIDC / OAuth SSOOpenID ConnectPassword-basedform replay; orLinked (migration,no CA/MFA)On-premises webCloud / SaaSYesNoSAMLOIDC

Cheat sheet

  • The enterprise application is the service principal, not the app's definition
  • Deleting the enterprise app removes only your tenant's instance
  • Prefer SAML or OIDC federation for SSO whenever the app supports it
  • App registered via App registrations is already OIDC and hides the SSO blade
  • Password-based SSO replays a stored credential for legacy form apps
  • Linked SSO is just a launch tile, so Conditional Access cannot apply
  • Application Proxy opens no inbound ports; the connector dials outbound only
  • Application Proxy is for remote users, not internal corporate-network users
  • App Proxy backend SSO uses KCD, headers, SAML, or password by app type
  • App Proxy pre-authentication is what enables Conditional Access
  • Assignment required Yes limits an app to assigned users only
  • Group-based app assignment needs P1/P2 and does not cascade to nested groups
  • App roles ride in the token roles claim; absent role means Default Access
  • Cloud App Admin or App Admin (or SP owner) assigns users to enterprise apps
  • User consent acts for one user; admin consent acts for the whole org
  • Three user consent settings: disable, verified-publisher, or allow all
  • Enable the admin consent workflow so blocked users can request approval
  • Admin consent for privileged permissions needs Privileged Role Admin or Global Admin
  • Application collections organize the My Apps launcher but grant no access
  • App provisioning (SCIM) auto-creates and deactivates accounts in the SaaS app
  • Classify permissions as Low impact to let users consent under the verified-publisher setting
  • Know the SCIM provisioning lifecycle: on-demand, soft-delete on unassign, four-week quarantine
  • Pick the Delegated Login Identity that matches the backend's on-prem identity format
  • Blocking an admin consent request creates a disabled service principal
  • Scope app management to one app with ownership or an app-scoped role assignment
  • My Apps visibility is separate from whether a user can sign in

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. What is application management in Microsoft Entra ID?
  2. What is single sign-on in Microsoft Entra ID?
  3. Publish on-premises apps with Microsoft Entra application proxy
  4. Assign users and groups to an application
  5. Overview of user and admin consent
  6. Publisher verification overview
  7. Application consent management and evaluation of consent requests
  8. End-user experiences for applications (My Apps, collections)