Microsoft released a new feature for Azure AD MyApps called Collections. It’s been in public preview for a little while but has released as general availability for the February identity updates. As they indicate in this article, “With the general availability of user-based collections in Azure AD My Apps, users can now create and manage their own personalized app collections while freeing IT resources and time for other tasks.”
Challenges
If you are on the journey of a password-less solution like the Microsoft MyApps portal to organize your enterprise applications into a Single Sign-On solution it’s common to have “app overload.” Our organization has 100+ apps now configured, with so many our users continue to ask about a way to hide or organize them. Microsoft doesn’t offer a way for users to do this, there is a way for Administrators to publish Collections to users but it is limited in its features. With the new user based collections anyone can do it themselves. Let’s take a look!
Organize your applications
Click on the Create button to give your Collection a name.
Let’s add some of our Microsoft applications, you can drag and drop them in order, then click Create.
Now you will see your new Collection. You can click the down arrow next to the Collection to make changes.
Enjoy your new Collection!
Conclusion
This new Azure AD MyApps Collections experience is a much needed update for Microsoft. Organizing applications into different collections is a feature many other Identity solutions provide. If you haven’t started a password-less journey yet with a solutions like Single Sign-on you are missing out! Your users will rejoice with even a few applications that they don’t need to remember a username or password for. Take a look at a few other articles I have posted on MyApps and Single Sign-on.
Have you made the move to consolidating user access to a single sign-on (SSO) portal yet? If Active Directory is your primary source for user access, the Azure AD MyApps portal is a great place to start consolidating your access. For the sake of time I’m going to jump right into some ways to customize this portal, if you need more information on moving to SSO, take a quick read here.
Azure AD MyApps Portal
The new portal released general availability in 2020-Q1, it has a nice new feel and the Microsoft AzureAD Identity team has boasted a lot more features to come. To start, update to the new MyApps experience and try to create collections of apps. This could be a great way to group them together based on a security group for Client Success, Development, Sales, etc. I sure hope more features keep coming for it like Compact View, Pinned Apps, or a Frequently Used tab. You can go to their UserVoice page to submit new ideas or vote on current ones.
Clean up the portal
One big issue I’ve seen with Azure AD MyApps Portal is that it will start adding icons for apps you don’t want to see. For example, if you deploy an Outlook Add-In or oAuth for an app service it will now show for your users in their portal. When you click on it there will be an error or take you to a unexpected location. Well let’s clean that up! Here’s a few steps to do it:
We’re going to take a look at this VidYard app – click the 3 stacked dots and then Copy link
Now paste that link somewhere to inspect it. You will see a long string, you want the Enterprise App ID found after the name and before the Tenant ID. Use that ID to search for the app in Enterprise Apps in Azure AD.
Now go to Properties and switch the Visible to users to No
That’s it! Users can still authenticate to this app but won’t clutter up their MyApps portal. (I’ve seen it take about 10 minutes to be hidden)
Powershell process
So now that we went over the easy way to do it, let’s take a deeper dive into a way to do this in a bulk method. Also, if the app doesn’t show in your portal doesn’t mean it’s not showing for others. You can use the method for all apps in Azure AD. One disclaimer, some apps can not be hidden (specifically Microsoft apps). Microsoft has documentation on hiding applications here.
First connect to Azure AD > then get all Service Principal Names
Or if you want to search for a specific one use -SearchString zoom
What you need is the ObjectID (you can also get this from the UI version of the portal for any Enterprise Application)
Now use the last few lines to actually hide the app – a great example are the “App for Outlook” add-ins you can deploy to all users. There is no reason to have this show in the MyApps portal – clean that up for your users after you deploy it!
Keep your Azure AD MyApps portal cleaned up for your users before they go crazy with so many icons. It would be great if Microsoft would start adding new features to keep down on the clutter, but until then you can do your part. If you’re moving your users to the MyApps portal for all your SaaS apps, this is a must keep their sanity. Check out more features of Office 365 and Azure Active Directory with these links.
Single Sign-on is a great solution but can be difficult to deliver a great experience. If you are an adminstrator like myself, setting up SSO isn’t as standardized as you would hope. Recently I migrated 50+ applications from OneLogin to Microsoft Azure Active Directory. Our company adopted SSO much before we adopted Microsoft’s Office 365 and Azure. Microsoft’s features improved so much over the past year or so we decided to make the switch.
For users, they go to a single portal to find all of the apps you’ve setup for them. In Microsoft’s case, Office 365 customers can go to https://myapps.microsoft.com to access their apps. As your company connects more apps to SSO they will all show up in this same portal. That’s it, pretty simple concept! Administrators who have setup SSO will cringe at that thought, it’s much more pain on their side since each company has their own requirements on it will work for an Identity as a Service provider like Microsoft Azure Active Directory.
Example
Let’s look at Concur in more detail. To start with, they don’t provide Administrator access to the SSO settings in your portal. You will need to open a support case with them to make a change. For a company as large as SAP, you would hope their support would be top class. From my experience they respond once every 24 hours to a ticket, but if you press them they will get on a call with you to help speed things up.
If you are an administrator setting up their application for Azure AD, the steps are documented here. After we set it up though we noticed after logging into the mobile app on iOS or Android the user would get redirected to our SSO portal, not the Concur dashboard. After months of troubleshooting with Concur and 2 identity providers I figured it out. When Concur support asks you for a “mobile friendly URL” for your application follow these steps for the “User access URL” 1. Go to your Enterprise Application you’ve setup 2. Click on Properties in the left pane 3. Copy the User access URL – PROVIDE THIS URL TO CONCUR SUPPORT
Summary
I can’t speak for Concur, but I believe they’re asking for some kind of Relay State to redirect users to your SSO application for Concur. If you provide them with the User access URL everything will work as expected. After you log into the Concur mobile app it redirects you to the Concur dashboard. Again, Single Sign-on is a great solution but can be difficult to deliver a great experience. It’s a simple concept but getting it just right for your users to have a great experience can take quite a bit of work. It will be worth it!
