Azure AD Application Proxy

Niklas Tinner -

Once again, it is time to talk about application management in Azure AD. If you haven't read my older post, I would recommend doing that, before continuing with this post.

The use & concept

Official documentation

Azure AD Application Proxy can help you provide on-premises applications to the public web. It makes use of a connector service, that is installed locally and has a network connection to your webserver. So it acts as an App broker. Usually the server with this agent installed, is located in the DMZ. A clear advantage is, that all the traffic and communication works over Azure and not your on-prem servers. Authentication runs through Azure AD and things like SSO are part of the implementation. We need a Azure AD Premium Plan 1 license for this product.

Add an on-premises application through Application Proxy

After you installed the connector service, you are ready to add an app to your application library. Add a new application in Azure AD:

Create your own application and select the first option (through App Proxy):

Enter the required information: (the rest is optional and is up to you)

  • Name - display name of the app
  • Internal Url - the address, on which the on-prem app is available
  • External Url - the address, which your app will be exposed to the web

Single sign-on

  • SAML - security assertion markup language protocol integration - the counter part app also needs to support this
  • Password-based - uses a Browser extension - not directly SSO, because you another password
  • Linked - is only a forward link (usecases: ADFS/own SSO mechanics)
  • Windows Integrated Authentication - user impersonation through AD and Proxy connector - Kerberos delegation
  • Header-based - special headers help for a authentication purpose
  • Disabled - no SSO, you probably will just get forwareded

My applications

Access myapplications.microsoft.com for a single portal to all applications, that are linked to Azure AD. (Enterprise apps)

What happens on a sign-in?

See the timeline and additional information of using Azure AD Application Proxy.

Thanks to Pascal for helping me with the concepts.