ThirdSpace ThirdSpace
ThirdSpace
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Solutions
  • People
Load more
25 October 2019

The Azure AD Application Proxy: How does it work?

David Guest

Liberate your workforce by allowing them to access the applications they need, when they need them, via the Azure AD Application Proxy.

One of the issues with remote working is the need to run applications that are only available when you are in the office.

In the past this has meant running a Virtual Private Network (VPN) so that the remote device (usually a laptop) appears to be on the local area network (LAN). A very workable solution – but this requires infrastructure and isn’t very flexible. How many companies allow a user to install the corporate VPN software on their home PC?

The Azure AD Application Proxy could be the answer.

 

What is the Azure AD Application Proxy?

The Azure AD Application Proxy is a remote access solution for on-premises resources that is included in all Azure AD Premium subscriptions. It allows you to easily publish your on-premises applications to users outside the corporate network.

Imagine a user, who is at home, who then remembers that they have not entered their expenses into the HR app, but the cut-off is tonight! They don’t have a work laptop, so they would normally have to head into the office. Instead, they switch on their home PC/tablet and navigate to MyApps.microsoft.com.

After they have authenticated using Azure AD, they can select the expenses system from the menu and launch the expenses web application. They get single sign-on (SSO) and are straight into booking their expenses.

Supported application types

The Azure Application Proxy supports a number of application types:

  • Web applications that use Integrated Windows Authentication for authentication.
  • Web applications that use form-based or header-based access.
  • Web APIs that you want to expose to rich applications on different devices.
  • Applications hosted behind a Remote Desktop Gateway.
  • Rich client apps that are integrated with the Active Directory Authentication Library (ADAL).

As long as the application matches one of these then the application proxy is a viable solution. Even when accessing services over a remote desktop environment through a remote desktop gateway.

So, how does it work?

Let’s look at a high-level view of what’s going on:

First, the user accesses their MyApps page, which requires them to authenticate to Azure AD (using all of the conditional access policies that are in place) and then they select the application that they want to access.

This initiates a connection to the app proxy service, which places their request into a queue that is being monitored by the App Proxy Connector (on-premises). The connector then passes the request to the web server and sends the response back to the service which responds to the user.

As part of the process, the proxy will also try to provide authentication to the application. This takes the user’s authentication details from Azure and then translates them to something that the application may understand.

This can be done with applications that support Kerberos Constrained Delegation (KCD) or SAML. It can also support password vaulting – storing an ID and password for an application securely in Azure.

At the same time, this can increase security for the application by allowing you to leverage Azure AD capabilities such as SSO, conditional access and MFA without making changes to the original application itself.

By adding in conditional access, the user can be validated through multi-factor authentication (MFA), depending on where they are coming from, what the device is, what application they are using and what level of risk the user is showing.

Watch conditional access and multi-factor authentication webinar

View 'Safeguard your data and applications with conditional access controls and multi-factor authentication' and discover:

  • Why conditional access and MFA technologies are essential
  • What actions you can take right now to mitigate the risk of a breach
Watch on-demand now

Leave traditional remote access solutions behind

Using Azure AD App Proxy has the following advantages over traditional remote access solutions such as VPN, TMG or UAG.

  • It does not open access to your entire network, allowing you to control what is accessible.
  • It’s a lot less expensive than the traditional VPN / Threat Management Gateway (TMG) / United Access Gateway (UAG) solutions in the market.
  • Azure App Proxy works across a lot more devices.

All of this is done without opening any firewalls or exposing the host server to the Internet. The access is only ever provided through the application connector, this opens an outbound connection to the queue, which is updated by the application proxy. This, in turn, is only available for users who have pre-authenticated against Azure.

Deploying the Azure Application Proxy can make web services available to users who are outside the LAN without having to deploy VPN technologies. Accessing these applications through the proxy can improve the security by enforcing conditional access.

If you have any applications that users need to access from outside your network, but not all users have access to a laptop with a VPN, then the Azure AD Application Proxy is something that you should be looking at.

If you want to know more about cloud authentication, single sign-on and using Azure AD Application Proxy, then we are here to help. Contact us today to arrange a no obligation Vision Call.

You may also like...

Blog

Microsoft’s cloud identity strategy – 11 key moments from the Alex Simons 2019 keynote

Blog

Microsoft Ignite 2019 – Identity and security highlights

Blog

Creating a cloud identity strategy: What you need to know

Recent Blog Articles

View All
Author
David Guest
Solution Architect and Technology Evangelist
Learn More

Get in touch

We'd love to hear from you! Our friendly team can be reached Monday through Friday, from 9am to 5pm.

Contact Us
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.