Create Microsoft Azure Bot and Integrate with Microsoft Teams

As we are heading towards the modern workplace model, we are thriving a lot on reducing the first level of tasks. One of the preferred feasible solution is to create a self-query knowledge base through which the end users can attempt to address their issues on their own before contacting the IT Team. Eventually API integrations with bots can reduce the first level of recurring tasks. Through Microsoft Bot Framework quite a lot of organizations are filling these requirements and increasing the operational excellence values.

In this article we will focus on how to create a bot in Azure and integrate them with Microsoft Teams.

In summary Bot usually comprises of three concepts dialog, channels and state. In my point of view dialog play a fundamental role in the Bot Framework. The dialogues will be organized in a natural sequence based on the input from the user it can respond, skip to next answer or even go in a sequential loop. In the back-end the programs will be configured to respond to the dialogues in a consecutive manner. Currently the underlying solution can be via C# , Node.Js or Rest API

Channels are the medium through which a user can communicate with the bots. There are more than 15 channels at this moment that can be integrated with Azure Bots. There is also an option to run our bot via our own client application using the direct line as our channel.

The Bot state service basically stores and retrieves state data that can be associated with User, conversation or a specific user. The former 2 are fully dependent on this data and state remains a database for them.

Bot Builder remains as a SDK framework which can be on C#, Node.Js or in RestAPI. Bot Service is used to build the bots, develop, test them and finally deploy on Azure.

In order to create a Bot login to Azure Portal and look for Bot service – and create Web app Bot.We require a web app bot because Bot is basically a web service that is exposed to a RestAPI.

Choose Web App Bot and create them

Now we can create a web app bot – provide them a name

Choose the language . In this example node.js is been chosen.

Provide all the basic required information. Here it is strongly recommended to turn on the application insights and this will provide the statistical consumption of the Bot service utilization. This utilization report is definitely required at a later stage to measure the utility of this service. We can select the option auto-create app ID an password. After this we are done with creating the Azure Bot.

We see here something called LUIS App Location. Microsoft uses LUIS(Language Understanding Intelligent Service).It is an AI service used to build natural language into apps, bots and IOT devices. This makes all the end user queries to learn easily and subsequently improve without manual intervention.

Once the validation is successful we can go ahead and create the bot.

The bot have been created and we need to plan, build, test and publish them. There are lot of many ways to create and publish them.

Here i have followed this Microsoft article and is straight forward to create and make your bot up and running with JavaScript.

Once the above is completed we need to deploy the bot in azure. We can follow the steps in this Microsoft Article. Also there are lots of articles available in the internet to make up running first bot in the internet. Here is one example.

Below is an example of hello world bot. This bot will respond hello world for all user input. The below node.js and package.json can also be used for creating the first bot. We need to have all the prerequisites for this on the local PC Visual Studio, Node Js Modules and bot builder modules installed. The Microsoft article linked previously have all the prerequisites and readiness.

Create nodejs and this is the nodejs for helloworld bot.

Install them from nodejs command prompt

Create index.js and below is the indexjs for helloworld bot.

Once after everything is done we can start

Later we can use the same steps mentioned in the Microsoft article to publish them on Azure Bots.

Having followed the above article with the prerequisites , we can test our bot in web chat.

Having tested this once we navigate to channels tab now we have option to integrate our bot with more than 15 channels. Only the web chat will be enabled by default.

Here we will focus on integrating our bot with Teams.

After we click on Microsoft Teams, we will be getting the below option. In our case it will be only messaging channel since the bot which is used here for testing is 1:1 messaging bot.

We need to agree for the terms of service

We could see the Teams added into our channel.

It is time to test our bot in Teams. In-order to test them in teams we need to take the app id from the settings page of the bot.

Once we search with the app ID in teams we would be able to see this bot as a contact in Microsoft Teams and we can also interact with them.

Finally the Bot is up running and integrated with teams the next step is we need to create an app package for this bot and publish in teams. We will look in the next article on how to create a custom app package and publish them on Microsoft Teams.

Thanks

Sathish Veerapandian

Plan and configure Azure Information Protection

Corporate data leakage and losing critical confidential information is been often considered as to be an employee negligence. These days the corporate services are available to all end users from anywhere which makes the employee more productive and work from anywhere. On the flip side if there are no security enforced, for instance a sales officer might leave a confidential customers list on a shared computer in a public place. Its very important for the employers to classify, label and protect their electronic data based on their business models.

Using Microsoft azure information protection will augment and sheild all the office 365 and azure workloads. We have option to enforce the classification or to provide users the option to classify on their own. This article emphases on enabling the Azure Information Protection on Office 365 workloads.

Classify the data based on the Business:

Applying the protection on documents is purely based upon the business model. It varies based on every business deliverable and needs to be identified and defined in the first place.  This is the first approach to start with Classifying the documents. Better to involve every team in this initial phase and gather the sensitive data that’s been transmitted via electronic way. Security team plays a key important role at this point, since they would already have the data classification based on the present business operations.

Identify the target Users:

Based on the cataloguing of the document now we need to create labels which will identify the sensitive documents on the transit. Protection can be enforced if the user has Office 365 E5 license or we can recommend classifying the document if the user has office 365 E3 license.

We can categorize the users based on their daily chores and its very important because a license plays a key role in this decision. For instance, there is no much concern on enforcing Azure Information Protection policies on receptionist account, rather it can be recommended to classify the document based on the key words. In a real scenario for critical document operators like finance, procurement, HR and key persons can go with E5 license and rest can be with E3 licenses.

Decide your tenant key:

By default, Microsoft manages the tenant key, and this is the root keys for the entire organization. 

This key will be used to provide cryptographic security to any objects associated in this domain from users, computers and protecting the documents. If the organization does not have any issues with Microsoft holding the tenant key then we can go with this approach. The tenant key life is automatically recycled by Microsoft to ensure the security.

If there are any regulatory requirements, then there is an additional option called BYOK (bring your own key). Here we use the Azure Key Vault and have 2 options. Either create the Key directly from the Azure Key Vault or create the Key in On Premise, export and then import this key into the key vault.

Deploy the Azure Information Protection Client for Targeted Users:

According to utilize this Azure information protection, service the end users must have this client installed on their PC’s including the Outlook add-in and must be logged in with their Microsoft Azure AD synced account. So ensure that this client is installed on the targeted users PC through group policy. This Azure information protection client is free and doesn’t include any license cost.

Enable Protection activation:

Ensure protection activation is enabled.

Navigate to Azure Information Protection – Protection Activation – Ensure its activated



Create the labels:

Once after gathering the important document types from different business units its better to create the labels based on the keywords.  In below examples we ‘ve created three document category A,B & C.

To create Label – Login to Azure Portal – Click on Azure Information Protection – Navigate to Labels and create label

Now we have the permission

Not Configured – Go with this option only if we need to preserve document with the previously created labels.

Protect – We are enforcing the AIP and going with this newly created label.

Remove protection – Select this option to remove protection if a document or email is protected

We have other options to enforce in the document like document visual marking , footer text and footer font name.

When we select on protect now we need to select our key and have 2 options

Azure Cloud Key – Managed by Microsoft.

HYOK –Key generated from the on-premise certificate authority.

The permissions need to be selected based on our requirement.

Co-owner – Full Access.

Co-Author- Editorial Access.

Reviewer- Editor without change rights.

Viewer – Only view access.

Custom – We can create permissions on our own.

Set the file content expiration which will expire the file after this specific period. So, the file travels with the permission enforced from Azure.

User Defined Permissions:

This option lets users specify who should be granted what authorizations. This can be given to end users to enforce them on outlook , word, excel, PowerPoint and file explorer.

Now we have an option target the users based on group and apply this label. However the best viable option is to create classification polices and add the labels to them.

Create Classification policies:

There are default classification policies and templates which can be used for protecting documents. But it’s always recommended to study the business requirements and create the classification policies based on the business requirements.

We need to navigate to the Azure information protection policy and target users and add this label.

In below example we have created a policy for one region, targeted users .

The created labels can be added here.

Additionally, there is an option to select the default label assigned to these users. There are other significant options which needs to be chosen based on the corporate necessities.

Client behavior:

After the policy is targeted users will see the document category available from the Azure information protection policy applied for the user.

Once the client is installed both on sender and recipient side and authenticated and a document is shared we can see the category based on the classification.

When the end user is not enforced but trying to save a credit card information in the word document a suggestion is triggered from the AIP.

When end users receive a protected document, they can see their permission level.

This is only the internal user experience. The external user experience is totally different where they will receive a welcome email with a notification that they have received a protected message. The moment when they click on the link the users can login with the one-time pass code which will come in a separate email or login with gmail credentials.

To conclude the Azure Information Protection is a remarkable offer from Microsoft which must be implemented after several iterations and careful planning. Also, this is a continuous process where the policies must be revisited and updated regularly as per the local regulatory  and business changes. Moreover, stringent polices should not be applied without proper evaluation since it can deteriorate the normal business operations. While this is just an overview of azure information protection and there are lots of features to explore and implement in any environment after vigilant planning.

Thanks & Regards

Sathish Veerapandian

Office 365- Configure one drive for business file retention policy

Its always better to configure retention for office 365 work loads in order to ensure that the data is available as per the company legal requirements. Usually we pay more attention to Email data and retention policies are applied to all mailboxes, however we might miss out to configure the retention on other work loads.

In this article we will be focusing on the options available to retain the data in one drive for business personal files of an office 365 users.

Essentially we see there are 2 level retention policies available for one drive for business. We will be looking at how to configure them and grant the permission for a delegated assignee when required to access the retained data for a terminated employee.

User Level Retention:

To illustrate if a user resigns ,we remove the license and delete synchronized AD account.If we need to keep the deleted users one drive personal site to stay around for 5 years then we can configure the retention setting on the one drive admin center.

The maximum retention value is 10 years and in below example we are setting them to 2 years from the one drive admin center.

There is a small admonition on applying only this retention policy to the users because this policy is applicable only when the synchronized users are deleted and licenses removed. There could be more odds that a resigned employee can delete the required confidential data before leaving the organization from original location and 2 stages recycle bin.

File Level Retention:

To alleviate the above demeanor we can configure a new retention policy from the security and compliance center only for one drive for business files. As of now we have option to create retention policy based on newly created files and last modified date and time.

Navigate to –
security and compliance -> data governance -> retention ->create new policy -> 

Create retention policy by selecting – When it was created.

When selected we are deciding on a course of action to retain all the newly created files for 5 years. Upon this setting the new files can be preserved up to 10 years.

In the location we choose only one drive because in our case we are targeting only one drive file level retention.

Review and create the policy.

Same as above create a file level retention based on file modification date.

Once the above policy is created files based on created date and modified date will be retained for 5 years.

Where do these files gets stored ?

Based on the above configuration the files that have been modified/newly created will be preserved for 5 years.
During this interval if any attempt of file deletion that comes on above scope will be deleted however a copy of these files will be stored in the preservation hold library which only the admin of the folders and admins can access. After 5 years these files will be permanently purged.

The preservation hold library can be accessed by navigating to the below URL

https://domainname-my.sharepoint.com/personal/username_domain_com/_layouts/15/viewlsts.aspx

Once accessed above url we will get access to preservation hold library

Below options we have for recovery on choosing a required file

By merest chance if the admin tries to delete these files from the Preservation Hold Library it wouldn’t be successful and will throw the below error.

We also need to make a note that all the files which are deleted and getting retained in Preservation hold library will consume the end user one drive quota which we need to think of only for E1 licensed users who have maxed out of their quota.

Transferring ownership of a old resigned employee:

If we need to Transfer access to different user who resigned long back and his files are retained as per retention policy.
There are multiple ways of doing this, however on the below example shows only how to perform this via power-shell.

Connect to SPO

Connect-SPOService -Url https://tenantname.sharepoint.com


Restore Deleted Personal Site of the Resigned user

 Restore-SPODeletedSite -Identity https://tenantname-my.sharepoint.com/personal/username_domain_com 

Restore Site to requested user by mentioning his login name

 Set-SPOUser -Site https://tenantname my.sharepoint.com/personal/username_domain_com  -LoginName username@domain.com -IsSiteCollectionAdmin $True 

Thanks & Regards

Sathish Veerapandian

Microsoft forms Error – Sorry something went wrong

Recently while accessing Microsoft forms users were getting the error. Sorry, something went wrong.

The issue was reported by all the users even they have required licenses assigned to them.

The forms were enabled for the affected user



Solution:

We’ve to enable the collab DB service from the azure portal which is required for this Microsoft forms.

Navigate to Azure Portal – Access Azure Active Directory – Select Enterprise Applications – Search for CollabDb Service




Navigate to properties – ensure Enabled for users to sign-in is turned on.

Once after enabling the sign-in option on the azure portal this has fixed the issue.

Teams Upgrade- Important points to consider before teams only toggle mode

Microsoft is investing and focusing on Teams for the Collaboration platform, Skype for Business have become volatile. We can see every day new features and enhancements are coming on the way for Microsoft Teams. Moreover, Microsoft have provided all the requirements and materials available for transition from Skype for Business to Microsoft Teams. This makes much simpler for any customers to completely move to teams only mode.

On a comparison of the road map improvements in Microsoft Teams the features have been enhanced and loads of new functionalities are being added very often. Currently the default configuration of all the tenants will be on Island mode which will make the users to communicate on both Microsoft Teams and Skype for Business. This might create more confusion for the end users to choose which platform to communicate for their daily activities since they are provided with couple of options.

This article focusses readiness on environment before we completely migrate to teams only mode.

Skype for Business Interop Mode Removed:

Earlier 6 months ago we had the Skype for Business Interop mode which helped the team’s users to communicate with Skype for business users. This will show teams chats in skype for business for users who don’t have teams. But this option has been removed and we have teams only mode added in the coexistence mode.

As of now there are 3 options available for all office 365 tenants:

When we run the command Get-CsTeamsUpgradePolicy we will get additional options.

While coming to talk about transition mode only below 3 options are feasible for most of the organizations.

Islands Mode:

As the name indicates this is a big sign of warning. Island mode is an indication of a temporary place where we can stay only for some time and not denoted to settle down for a long period. With this mode the User experience are completely different. There is no interconnection between Skype for Business and Microsoft Teams and they both work as an independent system.

Only below workflow in Island Mode:

Teams Communication – Teams Communication

Skype Communication – Skype Communication

Teams Only Mode:

In this mode we are enforcing all the users to use only Microsoft Teams. Meaning no users will be able to login to Skype for business even if they have the client system installed on their PC from their office 365 pro plus package. However, users present in Skype for Business only mode will be still able to reach teams only mode users and teams only mode users can reply to Skype users. However, we need to note that a new conversation chat cannot be initiated from a Teams only mode user to an Island or Skype for Business only user’s mode.

Only below workflow in Teams only Mode:

SFB Users Sends to Teams User – Message will be received in teams.

Teams Users responds to SFB User – Message will be received in teams only for the SFB user.

Teams User Tries to establish a new Chat with SFB user – Will not be successful

Also, we need to note that only limited functionalities will be working between team’s user and SFB user communication in this mode. For instance, a remote desktop cannot be shared by an SFB user who is on Teams and in Teams only mode.

Skype only Mode:

Only Skype Client no matter from where the IM is initiated.

Note: In any modes as of now the Meetings will be accessible in the cross platforms.

Be ready for this change target pilot users first:

Before we make this transition it’s very important to understand the current usage model of collaboration platform by end users. For instance, a Marketing head might be more comfortable with Skype for Business and never had a chance to explore Microsoft Teams. There might be a heavy dependency on Enterprise Voice Integration with Skype for Business which needs to be considered before making this change. It’s always better to choose few pilot users  

If we are planning for Teams Transition its better to slowly move users to teams only mode based on current user dependency on Skype for Business. Its better to identify few pilot users in each department and slowly transition them to Microsoft Teams only Mode.

After identifying the capable team leaders in every department better to switch them to teams only mode.

Below action needs to be verified:

1.Verify if you have Skype online connector module installed.

Get-Module -ListAvailable | Where-Object {$_.Name -eq "SkypeOnlineConnector"}

If you do not have them then Download and install the Skype online connector.

2. Connect to Skype online connector

Import Skype Online Connector

Import-Module SkypeOnlineConnector
$session = New-CsOnlineSession
Import-PSSession $session

3. Collect the current list of users in Island mode.

By Default, We will have all the user in Island mode. However, it is better to collect the list and prepare the users for teams only mode in phases.

Get-CsonlineUser | Select-Object Displayname,  UserPrincipalname,Department,Company,Office,TeamsUpgradeEffectiveMode,TeamsUpgradeNotificationsEnabled,TeamsUpgradePolicyIsReadOnly,TeamsUpgradePolicy | Export-Csv C:\Temp\IslandMode

4. Collect the pilot users and enable them on Teams only mode . Have a CSV file with  only userprincipalname.

$Teams= Import-csv C:\temp\Teamsonlypilot.csv |%{$_.userprincipalname}
 $Teams | % {Get-CsonlineUser -Identity $("$_")} | fl Displayname,TeamsUpgradeEffectiveMode,TeamsUpgradeNotificationsEnabled,TeamsUpgradePolicyIsReadOnly,TeamsUpgradePolicy
$Teams | % {Grant-CsTeamsUpgradePolicy -PolicyName UpgradeToTeams -Identity $("$_")}

Once after updating the users we will get the below confirmation stating that they will be only on Teams and can no longer be able to use Skype for Business.

We can also switch to one user by following option from the GUI

Or by the one line command

Grant-CsTeamsUpgradePolicy -PolicyName UpgradeToTeams -Identity username@domain.com

5. Notify Users about Teams Upgrade is available to them

We can enable this option to end users couple of days before upgrading

6. Restrict Teams Event live Policies

By default Teams has a Global policy for live events, which affects to all users in the organization and this needs to be restricted.

Create a new policy that doesn’t allow to create Live Events and assign the policy to all users.

New-CSTeamsMeetingBroadcastPolicy -Identity DisabledBroadcastSchedulingPolicy


Set-CsTeamsMeetingBroadcastPolicy -Identity DisabledBroadcastSchedulingPolicy -AllowBroadcastScheduling $false
Grant-CsTeamsMeetingBroadcastPolicy -Identity {user} -PolicyName DisabledBroadcastSchedulingPolicy -Verbose


7. Push and install the Teams desktop Client for the targeted users.

By default the teams is not included in the Pro plus package as of now. Microsoft have recently announced that Teams will be added in ProPlus package in future roadmap as per this Article.

Until we get this as a bundle we have

Download the Teams app in the Background.

This option will only download the teams app in the background for users in Teams only mode.

However it does not install the app and we need to perform some action of installing them to all users PC via group policy or SCCM. There is one amazing article written by Paul Cunningham for pushing them via GPO.

Imp Notes:

  1. Before making these changes educate the L1 support team to address end user queries.
  2. We can make use of the Microsoft Teams Customer adoption success kit
  3. If there is any PSTN integration with Skype for Business Online, then these factors needs to be planned before phasing out Skype for Business Online until they are transferred completely to Microsoft Teams.

Thanks & Regards

Sathish Veerapandian

Delegate resetting azure MFA for helpdesk through azure automation run book and Microsoft Flow

When a user with MFA enabled loses his mobile phone then he wouldn’t be able to login to new devices or in the old devices where the token life time have expired. 

Currently in this scenario the user have to report to help desk team. Unfortunately only the global admins can perform  the force reset of MFA account for the user to reset his Strongauthenticationmethods value to null to clear the  old lost device.  

There is a work around which can be used until we get a delegated RBAC role for performing this action. With Azure Automation account, creating a flow, integrating with flow and delegating this action to helpdesk admins will reduce the load on global admins performing this action. 

Prerequisites:

  1. Create New Automation Accounts from azure portal. Azure subscription required.They provide 500 minutes free every month.
  2. Create new Work Flow from global admin account.This action needs to be performed from global admin account.
  3. Enter the Global admin Credentials in the created automation account. Very Important that this account used to execute must not have MFA enabled.
  4. Import the MSOnline module from the gallery.

Create Azure Automation Account –

Proceed to https://portal.azure.com – Create automation account.

Now add the msonline module-

Add Exchange Online Module – Access Azure Automation account and click Assets > Modules- Add MSOnline Module.

We can see the MSOnline modules are imported successfully.

Enter Global Admin Credentials in the Created Automation account –

Click on Automation accounts – Credentials – Enter Global Admin Credentials. Add scripts(below scripts)

This is the global admin credentials required which will execute the automation when we trigger the work flow from a delegated helpdesk admin account.

Now add the script which is required to execute this operation.

Param
     (
         [Parameter (Mandatory= $false)]

         [String] $UserEmail = ""
     )

     $creds = Get-AutomationPSCredential -Name 'TestDemo’
     Connect-MsolService -Credential $creds
#This command resets the MFA
Set-MSOLUser -UserPrincipalName $UserEmail -StrongAuthenticationMethods @()
#This Command Resets the password  with force login
#Set-MsolUserPassword -UserPrincipalName $UserEmail -NewPassword "S@c@r!ooii" -ForceChangePassword $true

After adding above Publish the scripts.

Now we need to create the flow from the global admin account to execute this action.

Head over to Flow (https://flow.microsoft.com ) and provision a new personal Flow. Click new flow – Click Create from Blank.

Choose – Flow Button for Mobile , Flow Button for Mobile – manually trigger a Flow , Select AA- Type useremail as input flow.

Navigate to triggers – Select Manually trigger a flow.

Type UserEmail as input flow-Click on New Step – Add an Action

Click on Choose an action – Select Azure Automation – Create a Job – Provide the required credentials and subscription details.

Provide the required credentials and subscription details.

This part is very important we need to select the input as UserEmail as below. This parameter is required for the run book to execute the operation.After that we can see that the RunBook Parameter is UserEmail.

Now we will see the flow is connected to Azure automation account

Now Navigate to My Flows- Select the new flow – Click on – Run Now

We can see the flow will be successfully started and execute the requested operation of resetting the MFA value to null for the user.

We can run them on automation accounts and see them for verification and they will be successful.

From the global admin Flow login – Delegate this flow to helpdesk admins as manage run only user permission.

The actual operation is executed by the global admin account however the helpdesk team will be triggering this action through the delegated run only permissions assigned to them in created Microsoft flow.

Thanks & Regards

Sathish Veerapandian

Configure access panel in Azure Active directory

We can enable and provide self service application access to end users.If an organization is using Office 365 applications and the user is licensed for them, then the Office 365 applications will appear on the user’s Access Panel.Microsoft and third-party applications configured with Federation-based SSO can be added into this access panel.

We can create multiple groups example like HR,Marketing and required apps both internal corporate apps and social media apps can be published.

In order to logon access panel we must be authenticated using organizational account in Azure AD.We can be authenticated to azure AD directly or federated authentication and consume this service.

For organizations that have deployed Office 365, applications assigned to users through Azure AD will also appear in the Office 365 portal 

The azure access panel is a web based portal which provides user with below features:

1)View and launch cloud apps.
2)Configure self service password reset.
3)Self manage groups.
4)See account details.
5)Modify MFA settings.

IT admin can be benefited and reduce first level calls by enabling below features:
1)Provide easy portal for users.
2)Launch cloud based, federated onprem apps.
3)Links to URLs.
4)Control access to corporate application.
5)Restrict access to Users by Groups ,device and location.

The portal can be accessed from https://myapps.microsoft.com Azure Admin Can configure the Access panel settings from the below url-

Login to Azure AD – https://portal.azure.com/

Navigate to URL – Azure AD – Enterprise Applications – All applications.

Select the application which we need to add – In below case LinkedIn – Click on Self-Service.

Below are the options we have at this moment:

Select the option allow users to request access to this application. – By enabling this option end users can view and request access to this application.


To which group the users must be added:

Require approval before granting access to this application:

Who is allowed to approve access to this application:

To which role users should be assigned to this application:

We have these option to add an app:

  1. App that your developing- Register an app you’re working on to integrate it with Azure AD.
  2. On prem app (app proxy)- Configure Azure AD Application Proxy to enable secure remote access.
  3. Non gallery app- Integrate any other application that you don’t find in the gallery
  4. Add from the Gallery – There are close to 3000 apps in gallery which can be added.

Example below of when adding an application we have the following options:

In below case we are adding twitter from the gallery- Custom name can be provided for the application.

Single sign on mode-we have 2 options:

  1. Federated SSO – Allow users to access apps with their organizational accounts applicable mostly for on premise apps published here, application you are developing and any application which is integrated with on premise IDP. Only one time login is required.
    After signing in, the user can launch applications from the Office 365 portal or the Azure AD MyApps access panel. 
  2. Password based Sign-on- Users must remember application-specific passwords and sign in to each application. 

Hide application from end user:

This option can be used if we would like to hide application from end user.

We have below option to hide office 365 apps from the access panel. Doing this will allow end users to see office 365 apps only from office 365 portal.

Further more end user settings features for access panel can be managed:

For on premise applications we need to configure federated single sign on and add them on the access panel.

Navigate to Azure AD – Click Enterprise Applications – Click all Applications – Select the application that needs Single sign on configuration

We have the below options:
SAML – Use SAML whenever possible. SAML works when apps are configured to use one of the SAML protocols.For SAML we need to provide the signon url, user attributes , claims , signing certificate

And then we need to provide the azure url in the application to link with azure AD. Here we are creating an relying party trust between the application and Azure AD for the SAML configuration to work.


Linked – Can be used for cloud and on premise apps.we can use this when the application have single sign-on implemented using another service such as Active Directory Federation Services or any other IDP solution.

Disabled – Use this option If your application is not ready and integrated for SSO. Users will need to enter the user name and password every time the application is launched.

End User review from browser –

User can navigate to http://myapps.microsoft.com/

The defaults office 365 apps will be shown if its not hidden.

After Clicking on Add app users can explore the apps added by admin from the admin portal. In our case it shows only LinkedIn since we added only LinkedIn.

If there is any approval process required as per admin config it goes for approval and post approval the application will be available for requested user.

As per the recent update Microsoft recommends to use In-tune Managed Browser My-apps integration for mobile scenarios.
This integration supports lots of additional cool stuff like home screen bookmark integration, azure ad app proxy integration.

The access panel will definitely help end users to access all office and their corporate applications all in one place without any confusion and will reduce the burden on the front line first level end user access requests.

Thanks & Regards

Sathish Veerapandian

%d bloggers like this: