Liberate your workforce by allowing them to access the applications they need, when they need them, via the Azure AD Application Proxy.
One of the issues with remote working is the need to run applications that are only available when you are in the office.
In the past this has meant running a Virtual Private Network (VPN) so that the remote device (usually a laptop) appears to be on the local area network (LAN). A very workable solution – but this requires infrastructure and isn’t very flexible. How many companies allow a user to install the corporate VPN software on their home PC?
The Azure AD Application Proxy could be the answer.
The Azure AD Application Proxy is a remote access solution for on-premises resources that is included in all Azure AD Premium subscriptions. It allows you to easily publish your on-premises applications to users outside the corporate network.
Imagine a user, who is at home, who then remembers that they have not entered their expenses into the HR app, but the cut-off is tonight! They don’t have a work laptop, so they would normally have to head into the office. Instead, they switch on their home PC/tablet and navigate to MyApps.microsoft.com.
After they have authenticated using Azure AD, they can select the expenses system from the menu and launch the expenses web application. They get single sign-on (SSO) and are straight into booking their expenses.
The Azure Application Proxy supports a number of application types:
As long as the application matches one of these then the application proxy is a viable solution. Even when accessing services over a remote desktop environment through a remote desktop gateway.
Let’s look at a high-level view of what’s going on:
First, the user accesses their MyApps page, which requires them to authenticate to Azure AD (using all of the conditional access policies that are in place) and then they select the application that they want to access.
This initiates a connection to the app proxy service, which places their request into a queue that is being monitored by the App Proxy Connector (on-premises). The connector then passes the request to the web server and sends the response back to the service which responds to the user.
As part of the process, the proxy will also try to provide authentication to the application. This takes the user’s authentication details from Azure and then translates them to something that the application may understand.
This can be done with applications that support Kerberos Constrained Delegation (KCD) or SAML. It can also support password vaulting – storing an ID and password for an application securely in Azure.
At the same time, this can increase security for the application by allowing you to leverage Azure AD capabilities such as SSO, conditional access and MFA without making changes to the original application itself.
By adding in conditional access, the user can be validated through multi-factor authentication (MFA), depending on where they are coming from, what the device is, what application they are using and what level of risk the user is showing.
81% of breaches are caused by compromised credentials. Watch this free webinar on-demand and discover:
Using Azure AD App Proxy has the following advantages over traditional remote access solutions such as VPN, TMG or UAG.
All of this is done without opening any firewalls or exposing the host server to the Internet. The access is only ever provided through the application connector, this opens an outbound connection to the queue, which is updated by the application proxy. This, in turn, is only available for users who have pre-authenticated against Azure.
Deploying the Azure Application Proxy can make web services available to users who are outside the LAN without having to deploy VPN technologies. Accessing these applications through the proxy can improve the security by enforcing conditional access.
If you have any applications that users need to access from outside your network, but not all users have access to a laptop with a VPN, then the Azure AD Application Proxy is something that you should be looking at.
Keep your finger on the pulse of identity and Microsoft technology. Submit your business email to get the latest content and event invites straight to your inbox.
As ThirdSpace’s Solution Architect and Technology Evangelist (yes, he knows it’s a long title), Dave has a background in IT that goes back to installing a piece of kit called a Microsoft Softcard in...
READ AUTHOR'S FULL BIO
Find out how conditional access and MFA mitigate the risk of a data breach.Watch now
Send us your questions or feedback.
Friendly folks are standing by!
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.