Enterprise applications

This guide will lead you through a typical app authorisation procedure as a Global Administrator and provide an overview of how Enterprise Apps function with Azure AD, including prevalent security misconceptions. After that, we'll authorise a service account and establish a successful connection with UMA.

This explainer is for those who are struggling with the question of how to enable users to sign into UMA Vision using Office 365, while also ensuring that not everyone can authenticate with any application on the internet.

Service principal and application objects

When you first authorise the UMA app, it creates a new Service Principal object in your Azure directory. This Service Principal represents your specific installation of the UMA app, which you can directly manage. The Application object of UMA is maintained by us and enables us to update and maintain the application for all our clients in one place.

To better understand, consider the Service Principal as a specific version of the software that is installed, and the Application as the latest version available. In the event that the Application is updated, such as adding or removing features or permissions, you can choose to reauthorise the latest version to update the Service Principal as required. However, this is an extremely rare occurrence and not essential for running UMA.

Adding new applications in Office 365

Microsoft outlines this requirement for Global Administrators and applications within Azure AD.

Only global administrators can:

Add apps from the Azure AD app gallery (pre-integrated 3rd Party Apps)Publish an app using the Azure AD Application Proxy

When you first try to sign into the UMA application, you’ll need to be a Global administrator unless your tenant allows all users to register new applications however we don't recommend this.

During sign-up/in users are asked to give permission to the app to access their profile and other permissions. The first person to give consent causes a service principal representing the app to be added to the directory.

Once you’ve added the application to your directory, the Global Administrator role is no longer necessary to manage the settings.

Enabling “Users can consent to apps accessing company data on their behalf” will allow regular users assigned to the app to sign into existing service principals. It does not grant users the right to create new service principals (i.e. other applications you haven’t approved). Adding new applications is managed by the “Users can add gallery apps to their Access Panel” option instead, which can remain disabled as seen below