Blog

What is the Azure AD or Entra ID app gallery and why should you care?

October 31, 2024

The Microsoft Entra ID app gallery is a collection of thousands of apps pre-integrated with the Microsoft Identity stack. Learn how this gallery can help, and when it's not the right choice.

Note: Azure Active Directory (Azure AD) was renamed to Microsoft Entra ID in 2023. Both names refer to the same service.

The Microsoft Entra ID Application Gallery is a collection of thousands of enterprise applications pre-integrated with the Microsoft Identity stack.

The gallery acts as both a marketplace and a distribution channel. Publishing an application in the gallery increases visibility and simplifies enterprise adoption, but requires using Microsoft’s identity architecture and patterns.

The gallery can simplify certain scenarios, such as deploying multiple pre-configured applications behind a central Microsoft Entra sign-in experience. The gallery can also increase the overall complexity of your solutions, even if it improves their usability.

This article provides a high-level overview of the Microsoft Entra app gallery:

  1. First, we’ll explore which personas use and benefit from the gallery
  2. Next, we’ll look at which auth protocols the gallery supports
  3. We’ll consider a real-world example: provisioning AWS users via Microsoft Entra and SCIM
  4. Finally, we’ll help you determine if the Azure AD / Entra ID gallery is a good fit for your needs

Who uses the Entra ID app gallery?

Enterprise IT and Security teams

A Microsoft Entra admin with Cloud Application Administrator privileges can deploy gallery applications across their organization via the Microsoft Entra admin center.

This admin center requires an Azure subscription and is typically set up by an organization’s Global Administrator during their initial Azure/Microsoft 365 deployment. Organizations can manage multiple tenants through this single interface, with role-based access control determining what each administrator can configure.

Security teams use the gallery to enforce consistent authentication policies - such as requiring multi-factor authentication for all finance applications.

Software Vendors

SaaS providers can reach enterprise customers by publishing their applications in the gallery.

For instance, a vendor offering a project management tool can implement SAML-based SSO through the gallery, allowing customers to use existing Microsoft Entra credentials without additional configuration.

Independent Developers

Developers with Cloud Application Developer permissions can integrate custom applications with enterprise identity systems through the gallery.

A developer building an expense management system, could leverage Microsoft Entra ID for authentication and automatically sync user data with their customer’s HR systems.

Some independent developers make money by joining the Microsoft Developer Program and publishing applications on the Azure AD / Entra ID app gallery, especially those requiring complex identity flows. In some cases, building and maintaining applications with enterprise identity flows can be lucrative for small shops and independent developers.

Example: Provisioning AWS Users via Microsoft Entra and SCIM

Let’s start with a common scenario: an enterprise uses Microsoft Entra ID to manage AWS access for its developers.

When new developers onboard, they should automatically receive a new AWS IAM user, who should be placed in the correct IAM groups. They also need federated Single-Sign-on and IAM Access Keys provisioned.

Initial Microsoft Entra ID Configuration

When an organization is ready to introduce automated user provisioning, their administrator will add AWS Single Sign-on from the gallery, and configure SAML federation.

Next, they’ll configure the SCIM endpoint using AWS credentials, so that Microsoft Entra can communicate new, changed, and de-provisioned users to AWS. The admin will also configure attribute mapping between the two systems.

How Entra manages AWS IAM resources

Microsoft Entra maps groups to IAM roles, provisions IAM users via SCIM, and manages access keys. Federation enables SSO to the AWS Console.

This way, the developer automatically gets the tools they need to do their jobs, and their AWS IAM Access Keys and associated IAM users will be deleted when they leave the company.

The result: new users are automatically provisioned in AWS

When a new cloud engineer joins Microsoft Entra ID creates IAM users, assigns roles based on groups, provisions access keys, and enables AWS Console SSO and AWS CLI access.

This example shows how the Entra app gallery can be deployed as part of a multi-cloud architecture. It also highlights the inherent complexity in configuring Single Sign-on with the Entra app gallery, as demonstrated by the complete official tutorial.

The Entra ID app gallery’s supported auth protocols

SAML 2.0

When a user accesses a SAML-enabled application like Workday, Microsoft Entra ID handles the entire authentication flow. The admin (with Application Administrator privileges) configures this once by:

  1. Adding the Workday enterprise application from the gallery
  2. Uploading the SAML certificate provided by Workday
  3. Mapping Microsoft Entra user attributes to Workday fields
  4. Assigning users or groups to the application

From this point forward, new users provisioned in Entra ID will result in new user accounts in Workday, via SCIM.This flow is the same for any gallery application that supports SAML 2.0.

OpenID Connect

Alternatively, consider a legacy Node.js web application hosted on Azure App Service that needs enterprise authentication. In this case, developers can leverage the app gallery’s OpenID Connect (OIDC) support to create a streamlined sign-in experience.The developer registers their application in Microsoft Entra ID and receives:

  • Application (client) ID: Used to identify the app to Microsoft Entra ID
  • Directory (tenant) ID: Identifies the Microsoft Entra instance
  • Client secret: Secure key for server-side authentication

The application implements authentication using the MSAL Node library: 


const config = {
    auth: {
        clientId: "your-client-id",
        authority: "https://login.microsoftonline.com/your-tenant-id",
        clientSecret: "your-client-secret"
    }
};
const confidentialClientApplication = new msal.ConfidentialClientApplication(config);

As a result, end users who try to log into the application will receive the standard Microsoft Entra consent workflow:

Password-based SSO

What can be done if your legacy application only supports password-based login, and there’s no time or developers familiar enough with the application to update it? For example, a legacy Java application running on-premises might only support form-based authentication. In this case, admins can still fold this application into the Entra experience by:

  1. Creating an application template in Microsoft Entra ID
  2. Capturing the application’s login form fields
  3. Storing encrypted credentials in Microsoft Entra ID’s credential store
  4. Configuring the password update policy

When users access the application, Microsoft Entra ID automatically fills the login form with the stored credentials.

Linked Authentication

Consider a scenario where a company’s customer portal has its user database but also needs to support Microsoft Entra SSO. The application keeps its authentication system but adds Microsoft Entra ID as an identity provider:

  1. The admin registers the application in Microsoft Entra ID
  2. The admin Implements OIDC federation
  3. The admin maps Microsoft Entra IDs to existing user accounts
  4. The admin/team maintains both authentication systems in parallel

Should you use the Entra app gallery?

The app gallery makes sense for organizations heavily invested in Microsoft 365 or with strong requirements around centralized identity management and automated provisioning.

It's valuable for enforcing consistent security policies across many applications or automating employee onboarding/offboarding at scale. However, smaller organizations with few applications or those requiring highly customized identity workflows may find the configuration overhead outweighs the benefits.

Similarly, if your organization primarily uses non-Microsoft identity providers or requires specialized compliance controls not supported by Microsoft Entra ID, you might need to explore alternative solutions.

If you’re looking for enterprise-grade security features that are simpler to configure and already used by thousands of companies you recognize in production, try WorkOS today.

In this article
Link
Link
Link
We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.