In this guide we'll walk through a generic app authorization as a Global Administrator and give background on how Enterprise Apps work with Azure AD, including common misconceptions for security. Once that's done, we'll get a service account authorized and connected to Robin successfully, while explaining the process in more technical depth than our traditional guide.
If you’re grappling with “How do we allow people to sign into Robin with Microsoft 365 without allowing everyone to authenticate with any app on the internet?”, this explainer is for you.
Service Principal and Application Objects
When you authorize the Robin app for the first time, it registers a new Service Principal object in your Azure directory. This is your “install” of the Robin application, which you can manage directly. Robin maintains the Application object itself, which allows us to develop and maintain the application for all of our customers in one place.
You can think of the Service Principal like installing a version of software, and the Application as the latest version available. If the Application changes (e.g. Adds/Removes a permission for features) you can choose to reauthorize the latest version to update the service principal as needed. This is an exceedingly rare event, and not necessary for running Robin.
A diagram of this workflow from Microsoft:
Adding new applications in Microsoft 365
Microsoft outlines this requirement for Global Administrators and applications within Azure AD.
Only global administrators can:
- Add apps from the Azure AD app gallery (pre-integrated 3rd Party Apps)
- Publish an app using the Azure AD Application Proxy
When you first try to sign into Robin’s application, you’ll need to be a Global administrator unless your tenant allows all users to register new applications (we don't recommend this).
During sign up/in users are asked to give permission to the app to access their profile and other permissions. The first person to give consent causes a service principal representing the app to be added to the directory.
Once you’ve added the application to your directory, the Global Administrator role is no longer necessary to manage the settings.
Enabling “Users can consent to apps accessing company data on their behalf” will allow regular users assigned to the app to sign into existing service principals. It does not grant users the right to create new service principals (i.e. other applications you haven’t approved). Adding new applications is managed by the “Users can add gallery apps to their Access Panel” option instead, which can remain disabled.
Put another way, the first option does not give your users freedom to authorize any application they choose (only pre-approved ones) — the second option does.
References
- Who has permission to add applications to my Azure AD instance? Global Admins + App Registration (Microsoft)
- https://docs.microsoft.com/en-us/azure/active-directory/application-access-assignment-how-to-add-assignment
- https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview
- https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes
- Manage your Azure Enterprise Apps (Azure Portal)
- https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-application-objects