By a lot of companies I still see that they are using SaaS/web applications with a single account and that the credentials of that account is shared with multiple people within the organization. An example; the marketing department is using multiple social media channels like Twitter, Facebook, Instagram and LinkedIn, everyone of the marketing department has the login credentials of these accounts.
Security wise not the best way to do this, because, for example, what happened if one of these people gets fired or leaves the company?
If you are using Azure AD in your environment there are better ways to arrange this. You can use “Shared Credentials”, a.k.a. “Password Vaulting”. With Shared Credentials, the user will be logging in with his own (Azure) AD account to the application, in the back, the real credentials will be used for the authentication without the user knowing them.
In this blog I will show you how easy it is to configure “Shared Credentials” / “Password Vaulting”. In the following example I will publish the Twitter web application. I already have created a Marketing security group to publish the application to the correct users.
For the next steps, login to the Microsoft Azure Portal.
Navigate to: Azure AD > Enterprise applications and click the + New application button
In the Add from the gallery window, search for Twitter and click the Add button.
Click Configure single sign-on (required)
Keep the Sign-on URL default and click Save
Click Users and groups and click the + Add user button
Select the correct group, in this case it will be the Marketing group.
Click Assign Credentials and set the Assign credentials to be shared among all group members? option to Yes and fill in the user credentials of the Twitter account. Click OK and Assign
Go to the MyApps portal and login with a user that is member of the Marketing group. As you can see Twitter is now available as application. Open the application.
As you can see, the user can start the Twitter application with Single Sign-on with his/her own (Azure) AD credentials. In the back, the user has logged in with the Twitter account credentials, without knowing the credentials itself. So now, when the user leaves the company and his account is disabled, this user has no longer access to this Twitter account.