Skip to content

Commit 00579f6

Browse files
omondiatienoomondiatieno
committed
app management tutorials
1 parent 57fa9ad commit 00579f6

File tree

2 files changed

+262
-0
lines changed

2 files changed

+262
-0
lines changed

articles/active-directory/manage-apps/tutorial-govern-monitor.md

Lines changed: 106 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,106 @@
1+
---
2+
title: "Tutorial: Govern and monitor applications"
3+
titleSuffix: Azure AD
4+
description: In this tutorial, you learn how to govern and monitor an application in Azure Active Directory.
5+
author: davidmu1
6+
manager: CelesteDG
7+
ms.author: davidmu
8+
ms.service: active-directory
9+
ms.subservice: app-mgmt
10+
ms.topic: tutorial
11+
ms.date: 02/16/22
12+
# Customer intent: As an administrator of an Azure AD tenant, I want to govern and monitor my applications.
13+
---
14+
15+
# Tutorial: Govern and monitor applications
16+
17+
Juan at Fabrikam has added and configured an application from the [Azure Active Directory (Azure AD) application gallery](overview-application-gallery.md). He also made sure that access can be managed and that the application is secure by using the information in [Tutorial: Manage application access and security](tutorial-manage-access-security.md). He now needs to understand the recources that are available to govern and monitor the application.
18+
19+
By using the information in this tutorial Juan and you learn how to:
20+
21+
> [!div class="checklist"]
22+
> * Create an access review
23+
> * Access the audit logs report
24+
> * Access the sign-ins report
25+
> * Send logs to Azure Monitor
26+
27+
## Prerequisites
28+
29+
- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
30+
- One of the following roles: Global Administrator, Privileged Role Administrator, Cloud Application Administrator, or Application Administrator.
31+
- An enterprise application that has been configured in your Azure AD tenant. See the [Quickstart: Add an enterprise application](add-application-portal.md).
32+
33+
## Create an access review
34+
35+
Juan wants to make sure that users or guests have appropriate access. He decides to ask users of the application to participate in an access review and recertify or attest to their need for access. When the access review is finished, he can then make changes and remove access from users who no longer need it. For more information, see
36+
[Manage user and guest user access with access reviews](../governance/manage-access-review.md).
37+
38+
1. Sign in to the [Azure portal](https://portal.azure.com/) with one of the roles listed in the prerequisites.
39+
1. Go to **Azure Active Directory**, and then select **Identity Governance**.
40+
1. On the left menu, select **Access reviews**.
41+
1. Select **New access review** to create a new access review.
42+
1. In **Select what to review**, select **Applications**.
43+
1. Select **+ Select application(s)**, select the application, and then select **Select**.
44+
1. Now you can select a scope for the review. Your options are:
45+
- **Guest users only** - This option limits the access review to only the Azure AD B2B guest users in your directory.
46+
- **All users** - This option scopes the access review to all user objects associated with the resource.
47+
Select **All users**.
48+
1. Select **Next: Reviews**.
49+
1. In the **Specify reviewers** section, in the Select reviewers box, select **Selected user(s) or group(s)**, select **+ Select reviewers**, and then select the user account that is assigned to the application.
50+
1. In the **Specify recurrence of review** section, specify the following selections:
51+
- **Duration (in days)** - Accept the default value of **3**.
52+
- **Review recurrence** - select **One time**.
53+
- **Start date** - Accept today's date as the start date.
54+
1. Select **Next: Settings**.
55+
1. In the **Upon completion settings** section, you can specify what happens after the review finishes. Select **Auto apply results to resource**.
56+
1. Select **Next: Review + Create**.
57+
1. Name the access review. Optionally, give the review a description. The name and description are shown to the reviewers.
58+
1. Review the information and select **Create**.
59+
60+
### Start the access review
61+
62+
After you've specified the settings for an access review, select Start. The access review appears in your list with an indicator of its status.
63+
By default, Azure AD sends an email to reviewers shortly after the review starts. If you choose not to have Azure AD send the email, be sure to inform the reviewers that an access review is waiting for them to complete. You can show them the instructions for how to review access to groups or applications. If your review is for guests to review their own access, show them the instructions for how to review access for yourself to groups or applications.
64+
If you've assigned guests as reviewers and they haven't accepted their invitation to the tenant, they won't receive an email from access reviews. They must first accept the invitation before they can begin reviewing.
65+
66+
## Access the audit logs report
67+
68+
The audit logs report combines several reports around application activities into a single view for context-based reporting. For more information, see [Audit logs in Azure Active Directory](../reports-monitoring/concept-audit-logs.md).
69+
70+
To access the audit logs report, select **Audit logs** from the **Activity** section of the Azure Active Directory blade.
71+
72+
The audit logs report consolidates the following reports:
73+
• Password reset activity
74+
• Password reset registration activity
75+
• Self-service groups activity
76+
• Office365 Group Name Changes
77+
• Account provisioning activity
78+
• Password rollover status
79+
• Account provisioning errors
80+
81+
## Access the sign-ins report
82+
83+
The Sign-ins view includes all user sign-ins, as well as the Application Usage report. You also can view application usage information in the Manage section of the Enterprise applications overview. For more information, see [Sign-in logs in Azure Active Directory](../reports-monitoring/concept-sign-ins.md)
84+
85+
Select Signins from the Activity section of the Azure Active Directory blade.
86+
87+
## Send logs to Azure Monitor
88+
89+
The Azure AD activity logs only store information for a maximum of 30 days. Depending on your needs, you may want to have additional storage to back up the activity logs data. Using the Azure Monitor, you can archive the audit and sign logs to an Azure storage account to retain the data for a longer time.
90+
The Azure Monitor is also useful for rich visualization, monitoring and alerting of data. To learn more about the Azure Monitor and the cost considerations for additional storage, see [Azure AD activity logs in Azure Monitor](../reports-monitoring/concept-activity-logs-azure-monitor.md).
91+
92+
To send logs to your logs analytics workspace:
93+
94+
1. Select **Diagnostic settings**, and then select **Add diagnostic setting**. You can also select Export Settings from the Audit Logs or Sign-ins page to get to the diagnostic settings configuration page.
95+
1. In the Diagnostic settings menu, select **Send to Log Analytics workspace**, and then select Configure.
96+
1. Select the Log Analytics workspace you want to send the logs to, or create a new workspace in the provided dialog box.
97+
1. Select the logs that you would like to send to the workspace.
98+
1. Select **Save** to save the setting.
99+
100+
After about 15 minutes, verify that events are streamed to your Log Analytics workspace.
101+
102+
## Next steps
103+
104+
Advance to the next article to learn how to...
105+
> [!div class="nextstepaction"]
106+
> [Manage certificates for federated single sign-on](manage-certificates-for-federated-single-sign-on.md)

articles/active-directory/manage-apps/tutorial-manage-access-security.md

Lines changed: 156 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,156 @@
1+
---
2+
title: "Tutorial: Manage application access and security"
3+
titleSuffix: Azure AD
4+
description: In this tutorial, you learn how to manage access to an application in Azure Active Directory and make sure it is secure.
5+
author: davidmu1
6+
manager: CelesteDG
7+
ms.author: davidmu
8+
ms.service: active-directory
9+
ms.subservice: app-mgmt
10+
ms.topic: tutorial
11+
ms.date: 02/14/22
12+
13+
# Customer intent: As an administrator of an Azure AD tenant, I want to manage access to my applications and make sure they are secure.
14+
---
15+
16+
# Tutorial: Manage application access and security
17+
18+
Juan at Fabrikam has added and configured an application from the Azure Active Directory (Azure AD) application gallery. He now needs to understand the features that are available to manage access to the application and make sure the application is secure.
19+
By using the information in this tutorial Juan and you learn how to:
20+
21+
> [!div class="checklist"]
22+
23+
> * Grant consent for the application on behalf of all users
24+
> * Enable multi-factor authentication to make sign-in more secure
25+
> * Communicate a term of use to users of the application
26+
> * Create a collection in the My Apps portal
27+
28+
## Prerequisites
29+
30+
* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
31+
* One of the following roles: Global Administrator, Privileged Role Administrator, Cloud Application Administrator, or Application Administrator.
32+
* An enterprise application that has been configured in your Azure AD tenant. See the [Quickstart: Add an enterprise application](add-application-portal.md).
33+
* At least one user account added and assigned to the application. For more information, see [Quickstart: Create and assign a user account](add-application-portal-assign-users.md).
34+
35+
## Grant tenant wide admin consent
36+
37+
For the application that Juan added to his tenant, he wants to set it up so that all users in the organization can use it and not have to individually request consent to use it. To avoid the need for user consent, Juan can grant consent for the application on behalf of all users in the organization. For more information, see [Consent and permissions overview](consent-and-permissions-overview.md).
38+
39+
1. Sign in to the [Azure portal](https://portal.azure.com/) with one of the roles listed in the prerequisites.
40+
2. Search for and select **Azure Active Directory**.
41+
3. Select **Enterprise applications**.
42+
4. Select the application to which you want to grant tenant-wide admin consent.
43+
5. Under **Security**, select **Permissions**.
44+
6. Carefully review the permissions that the application requires. If you agree with the permissions the application requires, select **Grant admin consent**.
45+
46+
## Create a Conditional Access policy
47+
48+
Juan wants to make sure that only the people he assigns to the application can securely sign in. To do this he can configure a Conditional Access policy for a group of users that enforces multi-factor authentication (MFA). For more information, see [What is Conditional Access?](../conditional-access/overview.md).
49+
50+
### Create a group
51+
52+
It is easier for Juan to manage access to the application by assigning all users of the application to a group. Juan can then manage access at a group level.
53+
54+
1. In the left menu of the tenant overview, select **Groups**.
55+
1. Select **New group** at the top of the pane.
56+
1. Enter *MFA-Test-Group* for the name of the group.
57+
1. Select No members selected, and then choose the user account that you assigned to the application.
58+
1. Select **Create**.
59+
60+
### Create a Conditional Access policy for the group
61+
62+
1. In the left menu of the tenant overview, select **Security**.
63+
1. Select **Conditional Access**, select **+ New policy**, and then select **Create new policy**.
64+
1. Enter a name for the policy, such as *MFA Pilot*.
65+
1. Under **Assignments**, select **Users and groups**
66+
1. On the **Include** tab, choose **Select users and groups**, and then select **Users and groups**.
67+
1. Browse for and select the *MFA-Test-Group* that you previously created, and then choose **Select**.
68+
1. Don't select **Create** yet, you add MFA to the policy in the next section.
69+
70+
### Configure multi-factor authentication
71+
72+
In this tutorial, Juan can find the basic steps to configure the application, but he should consider creating a plan for MFA before starting. For more information, see [Plan an Azure Active Directory Multi-Factor Authentication deployment](../authentication/howto-mfa-getstarted.md).
73+
74+
1. Under **Cloud apps or actions**, select **No cloud apps, actions, or authentication contexts selected**. For this tutorial, on the **Include** tab, choose **Select apps**.
75+
1. Search for and select your application, and then select **Select**.
76+
1. Under **Access controls** and **Grant**, select **0 controls selected**.
77+
1. Check the box for **Require multi-factor authentication**, and then choose **Select**.
78+
1. Set **Enable policy** to **On**.
79+
1. To apply the Conditional Access policy, select **Create**.
80+
81+
## Test multi-factor authentication
82+
83+
1. Open a new browser window in InPrivate or incognito mode and browse to the URL of the application.
84+
1. Sign in with the user account that you assigned to the application. You're required to register for and use Azure AD Multi-Factor Authentication. Follow the prompts to complete the process and verify you successfully sign into the Azure portal.
85+
1. Close the browser window.
86+
87+
## Create a terms of use statement
88+
89+
Juan wants to make sure that certain terms and conditions are known to users before they start using the application. For more information, see [Azure Active Directory terms of use](../conditional-access/terms-of-use.md).
90+
91+
1. In Microsoft Word, create a new document.
92+
1. Type My terms of use, and then save the document on your computer as *mytou.pdf*.
93+
1. Under **Manage**, in the **Conditional Access** menu, select **Terms of use**.
94+
1. In the top menu, select **+ New terms**.
95+
1. In the **Name** textbox, type *My TOU*.
96+
1. In the **Display name** textbox, type *My TOU*.
97+
1. Upload your terms of use PDF file.
98+
1. For **Language**, select **English**.
99+
1. For **Require users to expand the terms of use**, select **On**.
100+
1. For **Enforce with conditional access policy templates**, select **Custom policy**.
101+
1. Select **Create**.
102+
103+
## Add the terms of use to the policy
104+
105+
1. In the left menu of the tenant overview, select **Security**.
106+
1. Select **Conditional Access**, and then select the *MFA Pilot* policy.
107+
1. Under **Access controls** and **Grant**, select the controls selected link.
108+
1. Select *My TOU*.
109+
1. Select **Require all the selected controls**, and then choose **Select**.
110+
1. Select **Save**.
111+
112+
## Create a collection in the My Apps portal
113+
114+
The My Apps portal enables administrators and users to manage the applications used in the organization. For more information, see [End-user experiences for applications](end-user-experiences.md).
115+
116+
> [!NOTE]
117+
> Applications only appear in a user's my Apps portal after the user is assigned to the application and the application is configured to be visible to users. See [Configure application properties](add-application-portal-configure.md) to learn how to make the application visible to users.
118+
119+
1. Open the Azure portal.
120+
1. Go to **Azure Active Directory**, and then select **Enterprise Applications**.
121+
1. Under **Manage**, select **Collections**.
122+
1. Select **New collection**. In the New collection page, enter a **Name** for the collection (it is recommended to not use "collection" in the name. Then enter a **Description**.
123+
1. Select the **Applications** tab. Select **+ Add application**, and then in the Add applications page, select all the applications you want to add to the collection, or use the Search box to find applications.
124+
1. When you're finished adding applications, select **Add**. The list of selected applications appears. You can use the arrows to change the order of applications in the list.
125+
1. Select the **Owners** tab. Select **+ Add users and groups**, and then in the Add users and groups page, select the users or groups you want to assign ownership to. When you're finished selecting users and groups, choose **Select**.
126+
1. Select the **Users and groups** tab. Select **+ Add users and groups**, and then in the **Add users and groups** page, select the users or groups you want to assign the collection to. Or use the Search box to find users or groups. When you're finished selecting users and groups, choose Select.
127+
1. Select **Review + Create**, and then select **Create**. The properties for the new collection appear.
128+
129+
## Clean up resources
130+
131+
You can keep the resources that you created to use in the next tutorial, or if you're not going to continue to use the resources created in this tutorial, delete them with the following steps.
132+
133+
## Delete the application
134+
135+
1. In the left menu, select **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant. Search for and select the application that you want to delete. For example, **Azure AD SAML Toolkit**.
136+
1. In the **Manage** section of the left menu, select **Properties**.
137+
1. At the top of the **Properties** pane, select **Delete**, and then select *Yes* to confirm you want to delete the application from your Azure AD tenant.
138+
139+
## Delete the conditional access policy
140+
141+
1. Select **Enterprise applications**.
142+
1. Under **Security**, select **Conditional Access**.
143+
1. Search for and select **MFA Pilot**.
144+
1. Select **Delete** at the top of the pane.
145+
146+
## Delete the group
147+
148+
1. Select **Azure Active Directory**, and then select **Groups**.
149+
1. From the **Groups - All groups** page, search for and select the **MFA-Test-Group** group.
150+
1. On the overview page, select **Delete**.
151+
152+
## Next steps
153+
154+
Advance to the next article to learn how to...
155+
> [!div class="nextstepaction"]
156+
> [Govern and monitor your application](tutorial-govern-monitor.md)

0 commit comments

Comments
 (0)