|
| 1 | +--- |
| 2 | +title: Publish your application |
| 3 | +description: Learn how to publish your application in the Azure Active Directory application gallery. |
| 4 | +titleSuffix: Azure AD |
| 5 | +services: active-directory |
| 6 | +author: eringreenlee |
| 7 | +manager: CelesteDG |
| 8 | +ms.service: active-directory |
| 9 | +ms.subservice: app-mgmt |
| 10 | +ms.topic: how-to |
| 11 | +ms.workload: identity |
| 12 | +ms.date: 1/18/2022 |
| 13 | +ms.author: ergreenl |
| 14 | +--- |
| 15 | + |
| 16 | +# Publish your application in the Azure Active Directory application gallery |
| 17 | + |
| 18 | +You can publish your application in the Azure Active Directory (Azure AD) application gallery. When your application is published, it's made available as an option for users when they add applications to their tenant. For more information, see [Overview of the Azure Active Directory application gallery](overview-application-gallery.md). |
| 19 | + |
| 20 | +To publish your application in the gallery, you need to complete the following tasks: |
| 21 | + |
| 22 | +- Make sure that you complete the prerequisites. |
| 23 | +- Create and publish documentation. |
| 24 | +- Submit your application. |
| 25 | +- Join the Microsoft partner network. |
| 26 | + |
| 27 | +## Prerequisites |
| 28 | + |
| 29 | +- To publish your application in the gallery, you must first read and agree to specific [terms and conditions](https://azure.microsoft.com/support/legal/active-directory-app-gallery-terms/). |
| 30 | +- Every application in the gallery must implement one of the supported single sign-on (SSO) options. To learn more about the supported options, see [Plan a single sign-on deployment](plan-sso-deployment.md). To learn more about authentication, see [Authentication vs. authorization](../develop/authentication-vs-authorization.md) and [Azure active Directory code samples](../develop/sample-v2-code.md). For password SSO, make sure that your application supports form authentication so that password vaulting can be used. For a quick introduction about single sign-on configuration in the portal, see [Enable single sign-on for an enterprise application](add-application-portal-setup-sso.md). |
| 31 | +- For federated applications (OpenID and SAML/WS-Fed), the application must support the [software-as-a-service (SaaS) model](https://azure.microsoft.com/overview/what-is-saas/) to be listed in the gallery. The enterprise gallery applications must support multiple user configurations and not any specific user. |
| 32 | +- For Open ID Connect, the application must be multitenanted and the [Azure AD consent framework](../develop/consent-framework.md) must be properly implemented for the application. The user can send the sign-in request to a common endpoint so that any user can provide consent to the application. You can control user access based on the tenant ID and the user's UPN received in the token. |
| 33 | +- Supporting provisioning is optional, but highly recommended. Provisioning must be done using the System for Cross-domain Identity Management (SCIM) protocol, which is easy to implement. Using SCIM allows users to automatically create and update accounts in your application without relying on manual processes such as uploading CSV files. To learn more about the Azure AD SCIM implementation, see [build a SCIM endpoint and configure user provisioning with Azure AD](../app-provisioning/use-scim-to-provision-users-and-groups.md). |
| 34 | + |
| 35 | +You can get a free test account with all the premium Azure AD features - 90 days free and can get extended as long as you do dev work with it: [Join the Microsoft 365 Developer Program](/office/developer-program/microsoft-365-developer-program). |
| 36 | + |
| 37 | +## Create and publish documentation |
| 38 | + |
| 39 | +### Documentation on your site |
| 40 | + |
| 41 | +Ease of adoption is a significant factor in enterprise software decisions. Clear easy-to-follow documentation supports your users in their adoption journey and reduces support costs. |
| 42 | + |
| 43 | +Your documentation should at a minimum include the following items: |
| 44 | + |
| 45 | +- Introduction to your SSO functionality |
| 46 | + - Protocols supported |
| 47 | + - Version and SKU |
| 48 | + - Supported identity providers list with documentation links |
| 49 | +- Licensing information for your application |
| 50 | +- Role-based access control for configuring SSO |
| 51 | +- SSO Configuration Steps |
| 52 | + - UI configuration elements for SAML with expected values from the provider |
| 53 | + - Service provider information to be passed to identity providers |
| 54 | +- If OIDC/OAuth, list of permissions required for consent with business justifications |
| 55 | +- Testing steps for pilot users |
| 56 | +- Troubleshooting information, including error codes and messages |
| 57 | +- Support mechanisms for users |
| 58 | +- Details about your SCIM endpoint, including the resources and attributes supported |
| 59 | + |
| 60 | +### Documentation on the Microsoft site |
| 61 | + |
| 62 | +When your application is added to the gallery, documentation is created that explains the step-by-step process. For an example, see [Tutorials for integrating SaaS applications with Azure Active Directory](../saas-apps/tutorial-list.md). This documentation is created based on your submission to the gallery, and you can easily update it if you make changes to your application using your GitHub account. |
| 63 | + |
| 64 | +## Submit your application |
| 65 | + |
| 66 | +After you've tested that your application integration works with Azure AD, submit your application request in the [Microsoft Application Network portal](https://microsoft.sharepoint.com/teams/apponboarding/Apps). The first time you try to sign into the portal you are presented with one of two screens. |
| 67 | + |
| 68 | +- If you receive the message "That didn't work", then you need to contact the [Azure AD SSO Integration Team ](mailto:[email protected]). Provide the email account that you want to use for submitting the request. A business email address such as `[email protected]` is preferred. The Azure AD team will add the account in the Microsoft Application Network portal. |
| 69 | +- If you see a "Request Access" page, then fill in the business justification and select **Request Access**. |
| 70 | + |
| 71 | +After the account is added, you can sign in to the Microsoft Application Network portal and submit the request by selecting the **Submit Request (ISV)** tile on the home page. If you see the **Your sign-in was blocked** error while logging in, see [Troubleshoot sign-in to the Microsoft Application Network portal](troubleshoot-app-publishing.md). |
| 72 | + |
| 73 | +### Implementation-specific options |
| 74 | + |
| 75 | +On the Application Registration Form, select the feature that you want to enable. Select **OpenID Connect & OAuth 2.0**, **SAML 2.0/WS-Fed**, or **Password SSO(UserName & Password)** depending on the feature that your application supports. |
| 76 | + |
| 77 | +If you're implementing a [SCIM](../app-provisioning/use-scim-to-provision-users-and-groups.md) 2.0 endpoint for user provisioning, select **User Provisioning (SCIM 2.0)**. Download the schema to provide in the onboarding request. For more information, see [Export provisioning configuration and roll back to a known good state](../app-provisioning/export-import-provisioning-configuration.md). The schema that you configured is used when testing the non-gallery application to build the gallery application. |
| 78 | + |
| 79 | +You can track application requests by customer name at the Microsoft Application Network portal. For more information, see [Application requests by Customers](https://microsoft.sharepoint.com/teams/apponboarding/Apps/SitePages/AppRequestsByCustomers.aspx). |
| 80 | + |
| 81 | +### Timelines |
| 82 | + |
| 83 | +The timeline for the process of listing a SAML 2.0 or WS-Fed application in the gallery is 7 to 10 business days. |
| 84 | + |
| 85 | +:::image type="content" source="/media/howto-app-gallery-listing/timeline.png" alt-text="Screenshot that shows the timeline for listing a SAML application."::: |
| 86 | + |
| 87 | +The timeline for the process of listing an OpenID Connect application in the gallery is 2 to 5 business days. |
| 88 | + |
| 89 | +:::image type="content" source="/media/howto-app-gallery-listing/timeline-2.png" alt-text="Screenshot that shows the timeline for listing an OpenID Connect application."::: |
| 90 | + |
| 91 | +The timeline for the process of listing a SCIM provisioning application in the gallery is variable and depends on numerous factors. |
| 92 | + |
| 93 | +Not all applications can be onboarded. Per the terms and conditions, the choice may be made to not list an application. Onboarding applications is at the sole discretion of the onboarding team. If your application is declined, you should use the non-gallery provisioning application to satisfy your provisioning needs. |
| 94 | + |
| 95 | +Here's the flow of customer-requested applications. |
| 96 | + |
| 97 | +:::image type="content" source="/media/howto-app-gallery-listing/customer-request-2.png" alt-text="Screenshot that shows the customer-requested apps flow."::: |
| 98 | + |
| 99 | +For any escalations, send email to the [Azure AD SSO Integration Team ](mailto:[email protected]), and a response is sent as soon as possible. |
| 100 | + |
| 101 | + |
| 102 | +## Join the Microsoft partner network |
| 103 | + |
| 104 | +The Microsoft Partner Network provides instant access to exclusive resources, programs, tools, and connections. To join the network and create your go to market plan, see [Reach commercial customers](https://partner.microsoft.com/explore/commercial#gtm). |
| 105 | + |
| 106 | +## Next steps |
| 107 | + |
| 108 | +- Learn more about managing enterprise applications in [What is application management in Azure Active Directory?](what-is-application-management.md) |
0 commit comments