Azure AD Application Proxy – Publish Internal Applications Externally Secure, No Firewall Req.

  • Article

This has been an new feature that I have been meaning to post about for some time now, It recently went General Availability and is available to customers whom have Azure Active Directory Basic or Premium.

Microsoft Azure AD Application Proxy lets you publish applications, such as SharePoint sites, Outlook Web Access and IIS-based apps, inside your private network and provides secure access to users outside your network. Employees can log into your apps from home, on their own devices and authenticate through this cloud-based proxy.

I would recommend that you keep an eye on the AAD Application Proxy Blog where the Product Group will update the article accordingly with more announcements and updates as new features are rolled out.

AAD Application Proxy Blog – Source / Updates  

Single sign-on to backend applications using Kerberos Constrained Delegation (KCD)

Application Proxy can already preauthenticate users before they are granted access to the on-prem application. With the new capability it will also be able to authenticate users to the backend application, so no additional sign-ins are required from them. This allows a smooth and seamless access experience to on prem Integrated Windows Authentication (IWA) applications – users only need to enter their credentials on the cloud and they will be able to access all these on-prem applications without having to sign-on again to each one of them.

Admins can now add their on-prem SharePoint, Outlook Web Access, or any other Web application that supports Integrated Windows Authentication, to Azure Active Directory without changing them. There is no need to install anything on the applications servers. Just enable Kerberos Constrained Delegation (KCD) on the connector machine and you’re done.

Behind the scenes, the connector is using the Kerberos delegation capabilities to impersonate as the end-user toward the application. From the application point of view, this is just a regular user. The complexity is invisible for the applications and for the end-users that can use whatever device they want and still have single sign-on to these applications.

In the current release, the proxy assumes that the same user identity (UPN) exist both on-prem and on Azure Active Directory. In future releases we are going to address more complicated configurations.

Connectors are auto-update from the cloud

The first step to enable the application proxy is to install its connectors on machines that are connected to the corporate network. We view these connector not as a traditional box product but as an extensions of the cloud service that operates like a cloud service. The connectors are already stateless and pulling all their configuration and settings from the cloud service. We want to take this one step further by removing the need to update these connectors manually. The new Application Proxy connectors will constantly check to see if there is a new version and will apply the update gracefully with minimal down-time. If you are running more than one connector, the service will not be interrupted. In the future, the service will give you more control on the update policy and more visibility on the status of your connectors.

This is just the first step in a long journey we are taking to get to a zero on-prem maintenance for the connectors. Our long term goal is that once installed, you would never have to log into these machines. We will give you all the tools to control them from the cloud.

As a result of this change, we ask our existing customers to uninstall their existing connectors and to install the new connector version. The preview connectors (versions before 1.2) will stop working soon. This would be the last time you manually have to do this, from now on, we will update it automatically.

 

and before you jump in with questions….

 

We don’t stop here! Our team works full steam ahead on improving the service and adding more capabilities to make sure you can move your remote access to Azure Active Directory. We are going to carefully examine the service usage patterns to understand what you are trying to do and what is blocking you. We are already working on bunch of new capabilities that would be delivered in the near future. Here are some of them:

  1. Custom domains: publish applications with your own domain and SSL certificate so you can have external address like app1.contoso.com and not only app1-contoso.msappproxy.net.

  2. Path filtering: publish only part of the server using path. For example, allow access to sp.contoso.com/site1 and not to any other paths on the server.

  3. Office clients integration: Improved experience when triggering Word, PowerPoint and Excel from a Web page or a link.

  4. Connector management and monitoring from the cloud to put the admins in control.

 

We have posted the instructions on how to get started with Azure AD Application Proxy on the Microsoft Azure Library so be sure to check out the simple steps to get you started. https://msdn.microsoft.com/en-us/library/azure/dn768219.aspx 

If you have any questions be sure to reach out and let me know, of feedback directly to the Product Group aadapfeedback@microsoft.com.

Thanks,

James.