Admin By Request SSO (Single Sign On)

Introduction

A guide to setting-up Enterprise applications for Admin By Request SSO (Single Sign On).

Procedure

There are two methods that can be used to setup Admin By Request SSO in Entra ID, depending on whether or not users are allowed to grant consent to applications that might request access to data:

  1. Users are permitted to grant consent

  2. Users are not permitted to grant consent

Further, for the more complex case B, there are three tasks that must be done:

  1. Modify Admin consent settings

  2. Elevate program as normal user

  3. Approve request as authorized approver

The methods and tasks are illustrated in the following chart:


The first method requires that a user be allowed to grant consent to apps in Azure AD, as indicated in the screenshot below.


The first time Admin By Request requires SSO from an endpoint, a Microsoft Permissions requested  dialog appears:


When the first user accepts, an Azure AD application is created for Admin By Request SSO. This application is now ready for any other user in the enterprise:


The second method is more complex and is needed when users are not permitted to grant consent to apps in Azure AD, as indicated in the screenshot below:

In this case, the following tasks must be completed:

    1. Admin consent settings must be modified so that users can request admin consent to apps they are normally unable to consent to:

    2. Determine which Users, Groups and/or Roles will be permitted to approve consent requests. To ensure approval requests are handled efficiently, those able to review requests for approval for a given application should be specified at this point.

    1. The first user to initiate SSO validation from an endpoint is required to request approval:

    2. To ensure first use is controlled, login as an ordinary user and create a consent request for the application by elevating a program. Enter the reason why you want this and click Request approval.

    1. Once the first approval request is made, go to your AAD tenant > Enterprise Applications | Admin consent requests > All (Preview) as one of the Users/Groups/Roles specified earlier. The following shows one request in the list:

    2. For the request shown, click Admin By Request SSO to open it.

    3. Finally, click Accept to approve it:

      Once accepted, all users can run the application.