How to configure Shared Credentials for web applications in Azure AD

By a lot of companies I still see that they are using SaaS/web applications with a single account and that the credentials of that account is shared with multiple people within the organization. An example; the marketing department is using multiple social media channels like Twitter, Facebook, Instagram and LinkedIn, everyone of the marketing department has the login credentials of these accounts.

Security wise not the best way to do this, because, for example, what happened if one of these people gets fired or leaves the company?

If you are using Azure AD in your environment there are better ways to arrange this. You can use “Shared Credentials”, a.k.a. “Password Vaulting”. With Shared Credentials, the user will be logging in with his own (Azure) AD account to the application, in the back, the real credentials will be used for the authentication without the user knowing them.

In this blog I will show you how easy it is to configure “Shared Credentials” / “Password Vaulting”. In the following example I will publish the Twitter web application. I already have created a Marketing security group to publish the application to the correct users.

For the next steps, login to the Microsoft Azure Portal.

Navigate to: Azure AD > Enterprise applications and click the + New application button

In the Add from the gallery window, search for Twitter and click the Add button.

Click Configure single sign-on (required)

Click Password-based

Keep the Sign-on URL default and click Save

Click Users and groups and click the + Add user button

Select the correct group, in this case it will be the Marketing group.

Click Assign Credentials and set the Assign credentials to be shared among all group members? option to Yes and fill in the user credentials of the Twitter account. Click OK and Assign

Go to the MyApps portal and login with a user that is member of the Marketing group. As you can see Twitter is now available as application. Open the application.

As you can see, the user can start the Twitter application with Single Sign-on with his/her own (Azure) AD credentials. In the back, the user has logged in with the Twitter account credentials, without knowing the credentials itself. So now, when the user leaves the company and his account is disabled, this user has no longer access to this Twitter account.

5 comments

  • Thanks for this blog post. This made me think about using this mechanism for various other Azure tenants (where we can’t add each user but need to have a shared account). Do you have an idea if one can use this for Azure (with MFA) itself as well?

  • Hi. I´ve check it with Booking.com and also LinkedIn and in my environment, both sites, booking and Linkedin ask me for a username and password.
    I´ve configured sso on the enterprise application und set the user permissions with the on behalf users.
    What have i forgot?

    • Hi Norbert, did you follow the exact steps like described in this blog? So, adding the SaaS applications and configured SSO? Perhaps something is wrong with the Login URL ?

      • Yes, it works with linkedin now, but with booking.com i get a password request. 😐

About Robin Hobo

Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page. You can also join me on the following social networks:

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close