Azure AD Application Proxy
Published: October 26, 2023
Azure Active Directory (Azure AD) Application Proxy is a feature that enables users to access on-premises applications from outside your corporate network. It provides a secure way to publish web applications that are hosted in your datacenter without needing to open inbound connections from the internet to your network.
- Secure Remote Access: Publish on-premises applications to remote users without VPNs.
- Pre-authentication: Leverage Azure AD's robust authentication and authorization policies before users access the application.
- Simplified Infrastructure: Reduce the need for complex network configurations and dedicated hardware.
- Conditional Access: Integrate with Azure AD Conditional Access policies for fine-grained access control.
How it Works
Azure AD Application Proxy uses an outbound-only connection from an on-premises connector to Azure AD. This approach eliminates the need for opening firewall ports and inbound network connections, which significantly enhances security.
The process involves:
- Users access the external URL of the published on-premises application.
- Azure AD performs pre-authentication.
- If authenticated and authorized, Azure AD sends a secure token to the user's device.
- The user's device uses the token to connect to the Azure AD Application Proxy service.
- The Application Proxy service forwards the request, via the on-premises connector, to the internal application.
- The connector retrieves the response and sends it back to the user.
Key Components
- Azure AD Application Proxy Service: The cloud-based service that handles authentication and traffic management.
- Application Proxy Connector: A lightweight agent installed on a server within your on-premises network. It establishes outbound connections to the Application Proxy service.
- Internal Application: The on-premises web application that you want to publish.
Configuration Steps
Setting up Azure AD Application Proxy typically involves the following steps:
- Install and Register Connectors: Download and install the Application Proxy connector on a server in your on-premises environment. Register it with your Azure AD tenant.
- Publish Applications: In the Azure portal, navigate to Azure AD, then Enterprise applications, and select "Add application". Choose "On-premises application" and configure the details of your application, including its internal and external URLs.
- Configure Authentication: Define the pre-authentication method (e.g., Azure AD).
- Assign Users and Groups: Grant access to the application by assigning specific users or groups.
- Test Access: Verify that users can access the application securely from outside the corporate network.
Example Scenario
Consider an internal HR portal that you want to make accessible to employees working remotely. By using Azure AD Application Proxy, you can publish this portal with its own external URL. Employees will be prompted to sign in with their Azure AD credentials, and upon successful authentication, they will be seamlessly directed to the HR portal without requiring a VPN connection.
Best Practices
- Install multiple connectors for high availability.
- Keep connectors updated to the latest version.
- Use the same user principal name (UPN) for on-premises and Azure AD accounts for a smoother user experience.
- Leverage Azure AD Conditional Access policies to enforce security requirements.
For more detailed information, refer to the official Azure AD Application Proxy documentation.