Using your Office 365 Azure AD tenant with application access enhancements for Windows Azure AD

Using your Office 365 Azure AD tenant with application access enhancements for Windows Azure AD

  • Comments 9
  • Likes

Hi folks,

I'm Eran Dvir, a lead program manager in Active Directory; in a previous post I described how to quickly access our new application access enhancements in Windows Azure Active Directory. In this post I wanted to extend that by explaining how existing Office 365 subscribers can access these capabilities. There are a number of documents out there describing how to activate Windows Azure Active Directory on any existing Microsoft Services subscription you may have, most notably a walk through video by Matt Steele. This posting will help better understand the relationship between Office 365 and Windows Azure AD and provide one easy path to add the applications access enhancements features to your existing Office 365 subscription.

To get started, how does Windows Azure Active Directory fit with Office 365? In general terms Windows Azure AD is the primary directory for all organizational Microsoft online services including Office 365, Windows Intune and Microsoft Dynamics. There are a number of ways to manage your Windows Azure AD; Office 365 and Dynamics subscribers often use the Office 365 management portal or PowerShell, similarly, Windows Intune subscribers can accomplish basic identity functions on Windows Intune administrator portal. Earlier in the year we released the Azure Active Directory administrative portal as a part of Windows Azure portal. While there will be ongoing investments in the various applications' management portals, rich identity and access management capabilities will be exposed through the Windows Azure Active Directory portal first. For example, today you can already evaluate application access enhancements for Windows Azure AD by accessing your directory through the Windows Azure portal. With this feature you can easily setup single sign-on to cloud-based applications and enable your users to easily discover and access these applications with the Windows Azure Access Panel.

To access Windows Azure portal for your existing Office 365 subscriptions all you need is to activate a free Windows Azure subscription on your existing account. The following instructions walk you through this process in detail.

 

Note: Any changes made to your directory through the Windows Azure AD portal will take effect on your Office 365 service immediately. We do not recommend using our preview features on a production Office 365 tenant!

 

As always we really appreciate your feedback, the easiest way to contact us to let us know what you think, if anything is missing, or if something didn't work as expected is through email. If you are interested in a closer engagement with our engineering team regarding application access enhancements for Windows Azure Active Directory you can also register through this survey.

Quick access links

Windows Azure Management Portal – http://manage.windowsazure.com

Access Panel - https://account.activedirectory.windowsazure.com/applications

Application access enhancements for Windows Azure Active Directory technical reference -http://technet.microsoft.com/en-us/library/dn308590.aspx

Windows Azure preview features - http://www.windowsazure.com/en-us/services/preview/

Active Directory Team Blog - http://blogs.technet.com/b/ad/

Using an existing Windows Azure AD Tenant with Windows Azure - http://blogs.technet.com/b/ad/archive/2013/04/29/using-a-existing-windows-azure-ad-tenant-with-windows-azure.aspx

 

Adding an Azure subscription to your Office 365 account

Using the following instructions you will:

  1. Add a Windows Azure subscription to your existing Office 365 global administrator account.
  1. Enable the application access enhancement for Windows Azure AD preview feature.
  2. Integrate an application to your Windows Azure AD and enable a user to access this application.
  3. Use the Windows Azure Access Panel to access an application.

If you already have a Windows Azure subscription on your Office 365 global administrator you can proceed to step 2.

To get started all you need is your Office 365 Global Administrator account and an account for your favorite cloud-based application.

  • The functionality described in this posting is a free preview and its use will not incur any charges. Following these instructions you will be creating a 30 day trial subscription in Windows Azure (you will need a credit card to activate the Windows Azure trial subscription but there will be no cost for usage of this service).
  • In this example I use the consumer application Skype but you can choose from our numerous supported enterprise and consumer applications.
  • Refer to this article to learn more about the global administrator role and managing Office 365 administrative roles.

     

  1. One simple way to add a Windows Azure subscription to your Office 365 account is to access the Windows Azure Signup page with your Office 365 global administrator account. You can log into the Office 365 administrator portal and go to the Windows Azure Signup page or go directly to the signup page, select sign in with an organizational account and log in with your Office 365 global administrator credentials.

    You may be prompted to re-authenticate when access the signup page.

    You will next be prompted to add and validate a contact phone number.

    You will then be prompted to add your payment information (you will need a credit card to activate the Windows Azure trial subscription but there will be no cost for usage of application access enhancements for Windows Azure Active Directory) and finally to confirm the Windows Azure Agreement.

    Welcome to Windows Azure! You have completed your trial tenant signup you will now be redirected to the Windows Azure subscription management page and can proceed to the Windows Azure management portal by clicking on the "Portal" button at the top right corner of your screen.

  2. Once through the welcome screens you can navigate to Windows Azure Preview Feature page and enable the Application Access Enhancement feature by clicking "try it now", selecting the "Free Trial" subscription and confirming by clicking on the check on the bottom right.

  3. Now, browse back to the Windows Azure Management Portal, you will see the directory in the "all items" list and can browse to it by clicking on the arrow next to it. From here you will need to click on the on the Windows Azure Active Directory Quick Start page and select "Add an application" from the Explore section.

    This will bring up the Windows Azure application gallery; the list has quite a few applications and will continue to expand every few weeks. In this example we will select the application "Skype". This can be done by selecting the "Telecommunications" category on the left hand pane, selecting the "Skype" application in the middle pane and confirming by clicking the checkmark on the bottom right.

    Once an application is added to your directory you can assign the application to specific users through the users tab under the application. Here you can select the right users and use the "Enable Access" button at the bottom to grant access. If the application is configured with password single sign-on, as is the case in this example, you can also configure the user's credential (username and password) for this application. This can be done by ticking the checkbox "I want to enter the Skype credentials on behalf of the user" while enabling access or though the "edit account" button after the access has been enabled. If you choose not to do this the user will be able to enter their own credential through the Access Panel. It is important to note that users can only see in the Access Panel those applications the administrator has granted them access.

    Now, browse back to the Application tab, you can do this by clicking on the back button in the portal, here you can see the Microsoft Office365 Exchange and SharePoint applications.

  4. Now that you've got an application configured, the next step is to click over to the Application Access Panel. This is the page where your users can single sign-on to applications, discover which applications they have, and in some cases manage their application credentials.

    When clicking on the Skype application tile for the first time you may be prompted to download and install a browser extension. The extension is needed to support the password single sign-on functionality. If this is the case please follow the browser specific instructions.










Once the browser extension is installed the user can configure their Skype credentials (username and password) by clicking on the Skype tile or by using the configure option. If you have assigned credentials for this user they will not need to perform this step and instead will be redirected and signed into the application.

 

From now on the user can access their Skype account using Windows Azure Active Directory by selecting the Skype tile on the Access Panel.


As explained above the Windows Azure Access Panel can be used to access all your cloud based applications, in this example you can also access your Office 365 Outlook and SharePoint through the Access Panel tiles.

 

Following these instructions you have just added a Windows Azure trial subscription to your Office 365 account, taken your first steps in managing your directory through Windows Azure AD, and assigned an application to your trial directory users. You also got a first view of the end user experience through the Access Panel and used Windows Azure Active Directory to access this application.

You can continue exploring the administrator and end user functionality, adding more applications through the application gallery, configuring user provisioning, assigning applications to specific users.

 

Note: Any changes made to your directory through the Windows Azure AD portal will take effect on your Office 365 service immediately. We do not recommend using our preview features on a production Office 365 tenant!

 

I hope you'll find these instructions helpful! I'm looking forward to seeing even more of you using the Application Access enhancements for Windows Azure AD!

Regards,

Eran

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Tried to leave a comment... but it didn't take. I am not going write it again. *sigh*

  • Ok.. let's try this post again.

    Please tell me this isn't going into production.  The azure sign up page asks for my info all over again, when it shows I am signed in!?  It should have populated from my office365 tenant... So no, I am not going to type in yet another name, phone number, credit card info when all of that is already in office365.  Isn't is suppose to be ONE federated login for all Azure apps??  What happened? I bet all my users will have to do the same too.  And for every application.   I might as well accidentally enter that info into google once, and get all their apps...  

    Also, it's crazy to charge for identity management.  Identity management that leads to application like Skype where business are willing to pay for skype credits for employee use because Lync just doesn't cut it. How many times do we need to enter that billing info again?  once for office365, once for azure, once for skype?    Arrrgh!

  • @DraconPern - yes, it's definitely suboptimal.  For historical (dumb) reasons, Office and Azure are on different billing systems. We are working to fix this now so that we don't have to ask you to sign up over and over again. Sorry about the inconvenience her.

    Regards,

    Alex