💡
Azure Active Directory (AAD) was renamed to Entra ID. However the content of this post is still accurate.

Once again, it is time to talk about application management in Azure AD. If you haven't read my older post, I would recommend doing that, before continuing with this post.

The use & concept

Official documentation

Azure AD Application Proxy can help you provide on-premises applications to the public web. It makes use of a connector service, that is installed locally and has a network connection to your webserver. So it acts as an App broker. Usually the server with this agent installed, is located in the DMZ. A clear advantage is, that all the traffic and communication works over Azure and not your on-prem servers. Authentication runs through Azure AD and things like SSO are part of the implementation. We need a Azure AD Premium Plan 1 license for this product.
application-proxy

Add an on-premises application through Application Proxy

After you installed the connector service, you are ready to add an app to your application library. Add a new application in Azure AD:
add-enterprise-app

Create your own application and select the first option (through App Proxy):
configure-own-app

Enter the required information: (the rest is optional and is up to you)

  • Name - display name of the app
  • Internal Url - the address, on which the on-prem app is available
  • External Url - the address, which your app will be exposed to the web

on-prem-app-configs

Single sign-on

  • SAML - security assertion markup language protocol integration - the counter part app also needs to support this
  • Password-based - uses a Browser extension - not directly SSO, because you another password
  • Linked - is only a forward link (usecases: ADFS/own SSO mechanics)
  • Windows Integrated Authentication - user impersonation through AD and Proxy connector - Kerberos delegation
  • Header-based - special headers help for a authentication purpose
  • Disabled - no SSO, you probably will just get forwareded

enterprise-app-single-sign-on


My applications

Access myapplications.microsoft.com for a single portal to all applications, that are linked to Azure AD. (Enterprise apps)
myapps.microsoft.com-1

What happens on a sign-in?

See the timeline and additional information of using Azure AD Application Proxy.
how-application-proxy-works-1

Thanks to Pascal for helping me with the concepts.

You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.