Microsoft has released a preview of Self-Service Application Access in Azure Active Directory (AD), the Redmond, Wash., tech company's cloud-based user identity and access management platform.
In the wake of transformative shifts in end-user computing, like the bring-your-own-device (BYOD) movement and the consumerization of IT, enterprises are looking to self-service IT to deliver user-friendly, productivity-enhancing app experiences for their employees. Providing self-service capabilities also helps combat "shadow IT," the unsanctioned use of popular consumer apps like Dropbox or Evernote for work purposes, generally caused by the disconnect between users and IT teams.
The danger posed by shadow IT is that it can be used to circumvent an organization's content security, management and compliance efforts and potentially cause damaging leaks of sensitive or private data. Early last year, CA Technologies launched its own mobile-enabled self-service solution called CA Service Management to tackle the issue, in part.
Echoing some those themes, Alex Simons, director of program management for Microsoft Active Directory, announced a preview of Self-Service App Access for Azure AD.
Simons noted in his April 23 announcement that in many organizations, "the person who is best-informed to make access grant decisions probably doesn't work in the IT department." A team leader or delegated administrator may be tasked with that responsibility, but ultimately "it's the user who uses the app, and they generally have a pretty good idea about what apps they need to do their job," he argued.
Azure AD's new Self-Service Application Access features offer administrators control over how their users obtain new apps. When enabled, the Azure AD access panel displays a "Get more applications" tile for users. The toolset can also be used to configure approval policies and restrict access requests to certain apps.
"This capability is supported for all pre-integrated apps that support federated or password-based single sign-on in the Azure Active Directory app gallery, including apps like Salesforce, Dropbox, Google Apps, and more," said Simons.
Administrators can also specify who is authorized to approve requests for specific applications, allowing companies to keep tabs on their investments and ensure that the right tools are being used by the right people.
"An approver can be any user in the organization with an Azure AD account, and could be responsible for account provisioning, licensing, or any other business process your organization requires before granting access to an app," explained Simons in this blog post detailing the setup process. "The approver could even be the group owner of one or more shared account groups, and can assign the users to one of these groups to give them access via a shared accounts."
When a request is made, the system sends the approver an email to complete the process. Apps that don't need approval automatically appear in a user's Azure AD access panel, providing a consumer-like app marketplace experience.