Enterprise Single Sign-On with Azure AD Pre-authorized Apps

Question

Pulumi · Accepted Answer

In order to set up Enterprise Single Sign-On (SSO) with Azure Active Directory (AD) for pre-authorized applications, you need to perform several tasks. These involve creating an Azure AD application, setting up a service principal for the application, and configuring pre-authorization settings so that users can access the application without additional consent prompts.

Here's a high-level breakdown of what each step typically involves:

Create an Azure AD Application: This represents the application in Azure AD and contains settings like the application's name, the URLs it uses, and what resources it needs access to.
Create a Service Principal: The service principal is an instance of the application in your directory with which you grant access to the application to perform tasks on behalf of a user or service.
Pre-authorize an App: You configure which permissions are pre-consented for the application by users so that they won't have to give consent during the authentication process.

Let's walk through a Pulumi program that does all of these steps. We’ll use the Pulumi Azure AD provider:

azuread.Application: To create an Azure AD application.
azuread.ServicePrincipal: To create a service principal for the Azure AD application.
azuread.ApplicationPreAuthorized: To pre-authorize applications.

Here is the Pulumi program in Python:

import pulumi
import pulumi_azuread as azuread

# Step 1: Create the Azure AD application
app = azuread.Application("exampleApplication",
    display_name="example-app",
    owners=["<user_object_id>"]) # Replace with the actual object ID of the app owner.

# Note the output property 'application_id' which we'll use to link the service principal.

# Step 2: Create the service principal for the Azure AD application
sp = azuread.ServicePrincipal("exampleServicePrincipal",
    application_id=app.application_id)

# Step 3: Pre-authorize the application with the permissions it requires
# You would replace 'application_object_id' and 'permission_ids' with the actual values for your setup.
pre_authorized_app = azuread.ApplicationPreAuthorized("examplePreAuthorizedApp",
    application_object_id=app.object_id,
    authorized_app_id="<app_id_to_pre_authorize>", # The application you want to pre-authorize.
    permission_ids=["<permission_id1>", "<permission_id2>"]) # The list of permissions the pre-authorized app has.

# Export some of the application and service principal details
pulumi.export("application_id", app.application_id)
pulumi.export("service_principal_id", sp.id)
pulumi.export("pre_authorized_app_id", pre_authorized_app.authorized_app_id)

Here's what the above program does:

Creates an Azure AD application with the specified display name and a specified owner (you'll need to replace <user_object_id> with the actual owner's object ID).
Creates a service principal for the application we just created, which allows it to authenticate with Azure and receive tokens.
Pre-authorizes another application with a list of permissions against our initial application (again, you need to replace the placeholders with the actual application and permissions IDs).

After running this Pulumi program and successfully creating these resources, your application will be integrated with Azure AD and use Single Sign-On with pre-authorized permissions.

To apply this code, make sure you have the Pulumi CLI installed, and you have an Azure account configured with the necessary permissions to create these resources. Adjust the placeholders to match your real Azure AD details. Then, run pulumi up to deploy the infrastructure.

Remember that you need to securely handle your Azure credentials and only share them with authorized personnel within your organization. Additionally, managing permissions in Azure AD requires proper understanding and alignment with your company's security and compliance policies.