Enterprise Apps: SSO, App Proxy & Integration
Plan and implement enterprise application settings, single sign-on, Application Proxy for on-premises apps, and SaaS integration in Microsoft Entra ID.
What are enterprise applications?
Enterprise applications are like the approved apps on your company phone.
Your company has a managed app store. When IT approves Salesforce, Zoom, or ServiceNow, those apps appear in the store. Employees can launch them with one tap — no separate login needed. IT controls who gets which apps, what permissions those apps have, and can revoke access instantly.
In Entra ID, the “Enterprise applications” blade is that managed app store. Every SaaS app, on-premises app, or custom app that your organisation trusts shows up here as a service principal.
Enterprise application settings
Tenant-level settings
These apply across all enterprise applications in your tenant:
| Setting | Location | What It Controls |
|---|---|---|
| User consent settings | Entra admin center → Enterprise apps → Consent and permissions | Whether users can consent to apps accessing company data |
| Admin consent workflow | Same as above → Admin consent settings | Enables a request/approval flow for apps that need admin consent |
| User sign-in settings | Entra admin center → Enterprise apps → User settings | Default visibility of apps in My Apps portal |
| Enterprise app restrictions | Tenant settings → User settings | Whether non-admins can add enterprise apps |
App-level settings
Each enterprise application has its own configuration:
| Setting | What It Controls |
|---|---|
| Properties | Name, logo, homepage URL, whether users can sign in, whether assignment is required |
| Users and groups | Who can access this specific application |
| Single sign-on | SSO method — SAML, OIDC, password-based, linked, or disabled |
| Provisioning | Automatic user/group sync to the SaaS app (SCIM) |
| Conditional Access | Policies targeting this specific app |
| Permissions | API permissions the app has been granted |
Exam tip: Assignment required
The “Assignment required?” toggle on enterprise apps is critical for the exam. When set to Yes, only users and groups explicitly assigned can access the app. When No, all users in the tenant can access it. For security-sensitive apps, always set this to Yes and assign specific users or groups.
Roles for managing enterprise apps
Not every admin needs Global Administrator to manage apps. The principle of least privilege applies:
| Role | What It Can Do |
|---|---|
| Application Administrator | Full management of all enterprise apps and app registrations (create, configure SSO, assign users, manage permissions, manage Application Proxy) |
| Cloud Application Administrator | Same as Application Administrator, except cannot manage Application Proxy connectors or settings |
| Application Developer | Can only create app registrations — cannot manage enterprise apps |
| Global Administrator | Everything (but don’t use this for day-to-day app management) |
| Feature | Application Administrator | Cloud Application Administrator |
|---|---|---|
| Manage enterprise apps | ||
| Manage app registrations | ||
| Configure SSO | ||
| Assign users/groups to apps | ||
| Manage user/admin consent | ||
| Manage Application Proxy | ||
| Create/manage connector groups | ||
| When to use | Any app management, especially with App Proxy | Cloud-only app management (no on-prem integration) |
Exam tip: Application Admin vs Cloud Application Admin
The exam loves to test the difference. Application Administrator can manage Application Proxy connectors and settings. Cloud Application Administrator cannot. If a question involves App Proxy, the answer is Application Administrator (or Global Admin). For everything else, either role works.
Single sign-on (SSO) methods
SSO lets users sign in once to Entra ID and access all their assigned apps without re-entering credentials.
| SSO Method | How It Works | Best For |
|---|---|---|
| SAML | Token-based, industry standard. Entra ID sends a SAML assertion to the app. | Enterprise SaaS apps (Salesforce, ServiceNow, SAP) |
| OpenID Connect (OIDC) | Modern token-based protocol built on OAuth 2.0 | Modern web apps, SPAs, APIs |
| Password-based | Entra ID stores and auto-fills username/password | Legacy apps without SAML/OIDC support |
| Linked | Just a link in My Apps — no SSO, redirects to external URL | Quick-access bookmarks |
| Disabled | No SSO configured | Apps that handle their own auth |
Scenario: Ravi integrates Salesforce SSO
💻 Ravi Patel at NovaTech Solutions needs to set up Salesforce for the sales team (40 users):
- Add Salesforce from the gallery: Entra admin center → Enterprise applications → New application → search “Salesforce” → Add
- Configure SAML SSO: Enterprise app → Single sign-on → Select SAML → Configure:
- Identifier (Entity ID):
https://novatech.my.salesforce.com - Reply URL (ACS):
https://novatech.my.salesforce.com?so=... - Sign-on URL:
https://novatech.my.salesforce.com
- Identifier (Entity ID):
- Download the certificate from Entra ID and upload it to Salesforce’s SSO settings
- Assign users: Enterprise app → Users and groups → Add the “Sales Team” security group
- Set “Assignment required” to Yes — only the sales team can access it
- Test: Click “Test this application” in the SSO blade
Result: Sales team members click the Salesforce icon in My Apps and are signed in automatically via SAML. No separate Salesforce password to manage.
SaaS application integration
Entra ID has a gallery of thousands of pre-integrated SaaS apps. Gallery apps come with:
- Pre-configured SSO settings (SAML or OIDC)
- Provisioning connectors (SCIM-based automatic user sync)
- Step-by-step configuration tutorials
Integration approaches:
| Approach | When to Use |
|---|---|
| Gallery app | App is in the Entra ID gallery — fastest setup, pre-configured |
| Non-gallery app | App supports SAML/OIDC but isn’t in the gallery — manual configuration |
| Application Proxy | On-premises web app that can’t be moved to the cloud |
| Custom app (OIDC) | You’re building your own app and want Entra ID as the identity provider |
Exam tip: Provisioning with SCIM
SCIM (System for Cross-domain Identity Management) is the protocol Entra ID uses to automatically create, update, and delete user accounts in SaaS apps. When the exam mentions “automatic provisioning” or “user lifecycle management for SaaS apps,” think SCIM. Not all gallery apps support provisioning — check the app’s documentation.
Application Proxy — bring on-premises apps to the cloud
Application Proxy lets users access on-premises web applications through Entra ID, with SSO and Conditional Access — without a VPN.
How Application Proxy works
User (anywhere)
↓ HTTPS request to external URL
Microsoft Entra Application Proxy Service (cloud)
↓ Relays request securely
Application Proxy Connector (on-premises)
↓ Forwards to internal URL
On-premises web app (intranet)Key components:
| Component | Where It Lives | What It Does |
|---|---|---|
| Application Proxy service | Microsoft cloud | Receives external requests, validates Entra ID tokens |
| Connector | On-premises server (Windows Server) | Maintains outbound connection to the cloud service, forwards requests to the internal app |
| Connector group | Logical grouping | Groups connectors for high availability and app segmentation |
| External URL | https://app-name.msappproxy.net or custom domain | The URL users access from outside |
| Internal URL | https://intranet.meridianhealth.local | The actual on-premises app URL |
Key architecture points
- Connectors make outbound connections only — no inbound firewall ports needed (ports 80 and 443 outbound)
- Multiple connectors in a connector group provide high availability and load balancing
- Supports Kerberos Constrained Delegation (KCD) for SSO to on-premises apps using Windows Integrated Authentication
- Supports header-based authentication for legacy apps
- Works with Conditional Access — you can require MFA, compliant devices, or specific locations
Scenario: Priya deploys App Proxy for the intranet
🔐 Priya Sharma at Meridian Health needs to give remote clinicians access to an on-premises intranet portal (https://portal.meridianhealth.local) without a VPN.
Setup steps:
-
Install the connector: Priya installs the Application Proxy connector on a Windows Server 2019 machine in the Meridian data centre. The connector registers with Entra ID using her admin credentials.
-
Create a connector group: She creates a “Healthcare Portal” connector group and adds two connectors for high availability.
-
Publish the app:
- Internal URL:
https://portal.meridianhealth.local - External URL:
https://portal-meridianhealth.msappproxy.net(she later maps this tohttps://portal.meridianhealth.comwith a custom domain) - Pre-authentication: Microsoft Entra ID (so users must authenticate before reaching the app)
- SSO method: Kerberos Constrained Delegation (the intranet uses Windows Integrated Auth)
- Internal URL:
-
Assign users: Only the “Clinical Staff” group is assigned to the enterprise app.
-
Apply Conditional Access: Priya creates a CA policy requiring MFA and a compliant device for this app.
Result: Remote clinicians open https://portal.meridianhealth.com, authenticate with Entra ID + MFA, and are seamlessly signed into the intranet portal. No VPN. No inbound firewall holes. Full audit trail.
Exam tip: App Proxy connector requirements
The exam tests connector requirements:
- Windows Server (2016 or later, 2019+ recommended)
- Outbound HTTPS (443) to the Application Proxy service — no inbound ports
- The connector server should not be a domain controller (recommended)
- Connectors auto-update through the Application Proxy service
- For KCD SSO, the connector server must be domain-joined and have delegation configured in AD
🎬 Video walkthrough
🎬 Video coming soon
Enterprise Apps & Application Proxy — SC-300 Module 17
Enterprise Apps & Application Proxy — SC-300 Module 17
~13 minFlashcards
Knowledge Check
Ravi needs to set up Salesforce SSO for 40 sales staff at NovaTech. He wants only the sales team to access it, with automatic user account creation in Salesforce when new team members join. What should Ravi configure?
Priya at Meridian Health needs to publish an on-premises intranet app for remote clinicians. The app uses Windows Integrated Authentication. She wants MFA before users reach the app and no inbound firewall changes. What should she implement?
Anika's client wants to delegate enterprise app management to a team lead without giving them Global Administrator. The client does NOT use Application Proxy. Which role should Anika assign?
Next up: Enterprise Apps: Users, Consent & Collections — how to assign users, manage consent workflows, and organise applications into collections.