Blog | 4-minute Read
The Azure AD Application Proxy: What it is, what it can do, and how it can help you…
David Guest
Solution Architect & Technology Evangelist
Published: 25 October 2019
Liberate your workforce by allowing them to access the applications they need, when they need them, via the Azure AD Application Proxy.
One of the issues with remote working is the need to run applications that are only available when you are in the office.
In the past this has meant running a Virtual Private Network (VPN) so that the remote device (usually a laptop) appears to be on the local area network (LAN). A very workable solution – but this requires infrastructure and isn’t very flexible. How many companies allow a user to install the corporate VPN software on their home PC?
The Azure AD Application Proxy could be the answer.
The Azure AD Application Proxy explained
The Azure AD Application Proxy is a remote access solution for on-premises resources that is included in all Azure AD Premium subscriptions. It allows you to easily publish your on-premises applications to users outside the corporate network.
Imagine a user, who is at home, who then remembers that they have not entered their expenses into the HR app, but the cut-off is tonight! They don’t have a work laptop, so they would normally have to head into the office. Instead, they switch on their home PC/tablet and navigate to MyApps.microsoft.com.
After they have authenticated using Azure AD, they can select the expenses system from the menu and launch the expenses web application. They get single sign-on (SSO) and are straight into booking their expenses.
Supported application types
The Azure Application Proxy supports a number of application types:
- Web applications that use Integrated Windows Authentication for authentication.
- Web applications that use form-based or header-based access.
- Web APIs that you want to expose to rich applications on different devices.
- Applications hosted behind a Remote Desktop Gateway.
- Rich client apps that are integrated with the Active Directory Authentication Library (ADAL).
As long as the application matches one of these then the application proxy is a viable solution. Even when accessing services over a remote desktop environment through a remote desktop gateway.
Free Guide
The Complete Guide to Microsoft Entra [New for 2024]
The most comprehensive guide to Microsoft Entra. Over 40 pages. Plus, Microsoft licensing simplified.
Discover how you can:
- Cut costs by removing 50% management effort
- Elevate security – reduce breach chances by 45%
- Automate provisioning to ensure compliance
So, how does it work?
Let’s look at a high-level view of what’s going on:
First, the user accesses their MyApps page, which requires them to authenticate to Azure AD (using all of the conditional access policies that are in place) and then they select the application that they want to access.
This initiates a connection to the app proxy service, which places their request into a queue that is being monitored by the App Proxy Connector (on-premises). The connector then passes the request to the web server and sends the response back to the service which responds to the user.
As part of the process, the proxy will also try to provide authentication to the application. This takes the user’s authentication details from Azure and then translates them to something that the application may understand.
This can be done with applications that support Kerberos Constrained Delegation (KCD) or SAML. It can also support password vaulting – storing an ID and password for an application securely in Azure.
At the same time, this can increase security for the application by allowing you to leverage Azure AD capabilities such as SSO, conditional access and MFA without making changes to the original application itself.
By adding in conditional access, the user can be validated through multi-factor authentication (MFA), depending on where they are coming from, what the device is, what application they are using and what level of risk the user is showing.
Leave traditional remote access solutions behind
Using Azure AD App Proxy has the following advantages over traditional remote access solutions such as VPN, TMG or UAG.
- It does not open access to your entire network, allowing you to control what is accessible.
- It’s a lot less expensive than the traditional VPN / Threat Management Gateway (TMG) / United Access Gateway (UAG) solutions in the market.
- Azure App Proxy works across a lot more devices.
All of this is done without opening any firewalls or exposing the host server to the Internet. The access is only ever provided through the application connector, this opens an outbound connection to the queue, which is updated by the application proxy. This, in turn, is only available for users who have pre-authenticated against Azure.
Deploying the Azure Application Proxy can make web services available to users who are outside the LAN without having to deploy VPN technologies. Accessing these applications through the proxy can improve the security by enforcing conditional access.
If you have any applications that users need to access from outside your network, but not all users have access to a laptop with a VPN, then the Azure AD Application Proxy is something that you should be looking at.
Free Guide
The Complete Guide to Microsoft Entra [New for 2024]
The most comprehensive guide to Microsoft Entra. Over 40 pages. Plus, Microsoft licensing simplified.
Discover how you can:
- Cut costs by removing 50% management effort
- Elevate security – reduce breach chances by 45%
- Automate provisioning to ensure compliance
Great emails start here
Sign up for free resources and exclusive invites
Subscribe to the Kocho mailing list if you want:
- Demos of the latest Microsoft tech
- Invites to exclusive events and webinars
- Resources that make your job easier
Got a question? Need more information?
Our expert team is here to help.