ThirdSpace ThirdSpace
ThirdSpace Contact Us
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Page
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Service
  • Solutions
  • People
Load more
25 October 2019

The Azure AD Application Proxy: What it is, what it can do, and how it can help you…

Profile shot of David Guest.
Written by David Guest

Liberate your workforce by allowing them to access the applications they need, when they need them, via the Azure AD Application Proxy.

One of the issues with remote working is the need to run applications that are only available when you are in the office.

In the past this has meant running a Virtual Private Network (VPN) so that the remote device (usually a laptop) appears to be on the local area network (LAN). A very workable solution – but this requires infrastructure and isn’t very flexible. How many companies allow a user to install the corporate VPN software on their home PC?

The Azure AD Application Proxy could be the answer.

The Azure AD Application Proxy explained

The Azure AD Application Proxy is a remote access solution for on-premises resources that is included in all Azure AD Premium subscriptions. It allows you to easily publish your on-premises applications to users outside the corporate network.

Imagine a user, who is at home, who then remembers that they have not entered their expenses into the HR app, but the cut-off is tonight! They don’t have a work laptop, so they would normally have to head into the office. Instead, they switch on their home PC/tablet and navigate to

After they have authenticated using Azure AD, they can select the expenses system from the menu and launch the expenses web application. They get single sign-on (SSO) and are straight into booking their expenses.

Supported application types

The Azure Application Proxy supports a number of application types:

  • Web applications that use Integrated Windows Authentication for authentication.
  • Web applications that use form-based or header-based access.
  • Web APIs that you want to expose to rich applications on different devices.
  • Applications hosted behind a Remote Desktop Gateway.
  • Rich client apps that are integrated with the Active Directory Authentication Library (ADAL).

As long as the application matches one of these then the application proxy is a viable solution. Even when accessing services over a remote desktop environment through a remote desktop gateway.

So, how does it work?

Let’s look at a high-level view of what’s going on:

First, the user accesses their MyApps page, which requires them to authenticate to Azure AD (using all of the conditional access policies that are in place) and then they select the application that they want to access.

This initiates a connection to the app proxy service, which places their request into a queue that is being monitored by the App Proxy Connector (on-premises). The connector then passes the request to the web server and sends the response back to the service which responds to the user.

As part of the process, the proxy will also try to provide authentication to the application. This takes the user’s authentication details from Azure and then translates them to something that the application may understand.

This can be done with applications that support Kerberos Constrained Delegation (KCD) or SAML. It can also support password vaulting – storing an ID and password for an application securely in Azure.

At the same time, this can increase security for the application by allowing you to leverage Azure AD capabilities such as SSO, conditional access and MFA without making changes to the original application itself.

By adding in conditional access, the user can be validated through multi-factor authentication (MFA), depending on where they are coming from, what the device is, what application they are using and what level of risk the user is showing.

Free watch: Safeguard your data and apps with conditional access and MFA

Free watch: Safeguard your data and apps with conditional access and MFA

81% of breaches are caused by compromised credentials. Watch this free webinar on-demand and discover:

  • Why conditional access and MFA technologies are essential
  • What actions you can take right now to mitigate the risk of a breach
Watch on-demand now

Leave traditional remote access solutions behind

Using Azure AD App Proxy has the following advantages over traditional remote access solutions such as VPN, TMG or UAG.

  • It does not open access to your entire network, allowing you to control what is accessible.
  • It’s a lot less expensive than the traditional VPN / Threat Management Gateway (TMG) / United Access Gateway (UAG) solutions in the market.
  • Azure App Proxy works across a lot more devices.

All of this is done without opening any firewalls or exposing the host server to the Internet. The access is only ever provided through the application connector, this opens an outbound connection to the queue, which is updated by the application proxy. This, in turn, is only available for users who have pre-authenticated against Azure.

Deploying the Azure Application Proxy can make web services available to users who are outside the LAN without having to deploy VPN technologies. Accessing these applications through the proxy can improve the security by enforcing conditional access.

If you have any applications that users need to access from outside your network, but not all users have access to a laptop with a VPN, then the Azure AD Application Proxy is something that you should be looking at.

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Submit your business email to join our mailing list and we'll send you 'A buyer’s guide to Microsoft Enterprise Security'.

Profile shot of David Guest.

About David Guest

Solution Architect and Technology Evangelist

As ThirdSpace’s Solution Architect and Technology Evangelist (yes, he knows it’s a long title), Dave has a background in IT that goes back to installing a piece of kit called a Microsoft Softcard in...


You may also like...


How the SolarWinds breach highlights the dangers of federated authentication – and what you can do to protect against it


What is Microsoft Identity Manager (MIM)? Everything you need to know


Uniting disparate directories: What is Azure AD Connect cloud provisioning?

Recent Blog Articles

View All
Related topics

Watch: Free conditional access and MFA webinar

Find out how conditional access and MFA mitigate the risk of a data breach.

Watch now

Need some help?

Send us your questions or feedback.

Friendly folks are standing by!

Contact Us
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.