Securely Publish internal Applications over Microsoft Azure AD Application Proxy

Azure Active Directory (AD) Application Proxy is a secure application access solution from Microsoft. It provides remote access to on-premises web applications from any device, while ensuring that sensitive data is protected. With Application Proxy, administrators can securely publish applications to the cloud, allowing users to access them from anywhere with an internet connection.

The Application Proxy works by redirecting incoming traffic from the internet to an application running on a server behind your organization’s firewall. The proxy establishes a secure, encrypted connection between the client and the application, and the traffic is forwarded over this connection. This eliminates the need for a VPN, making it much easier for users to access their applications from remote locations.

One of the key benefits of using the Application Proxy is that it integrates seamlessly with Azure AD. This means that administrators can use their existing Azure AD credentials to control access to the published applications. Additionally, the proxy supports multi-factor authentication, which provides an extra layer of security for sensitive applications.

Another advantage of the Application Proxy is its ease of use. Administrators can quickly and easily publish applications, and users can access them with just a few clicks. The proxy provides a customizable, branded sign-in experience that is consistent with other Azure AD-powered applications, making it easy for users to recognize and trust the applications they are accessing.

In conclusion, the Azure AD Application Proxy is a highly secure and easy-to-use solution for providing remote access to on-premises applications. Its seamless integration with Azure AD and support for multi-factor authentication make it a great choice for organizations that want to ensure the security of their sensitive data while providing convenient access to their applications.

Licensing

To use Azure AD Application Proxy, you will need one of the following licenses:

• Azure AD Premium P1 or P2 – These licenses include the Application Proxy feature and are recommended for most organizations.
• Microsoft 365 Business – This license includes the Application Proxy feature for small and medium-sized businesses.
• Enterprise Mobility + Security (EMS) E3 or E5 – These licenses include the Application Proxy feature as part of the EMS suite of products.

It is recommended to check with Microsoft or a licensed reseller to determine which license is best for your organization’s specific needs. Additionally, you may need to purchase additional licenses for the on-premises servers that will host the applications you want to publish through the Application Proxy.

Setup

You can setup Azure AD application proxy by following this steps.

Firstly go to https://portal.azure.com, select Azure Active Directory and then open the Application proxy page:

Now we need to download the connector:

Accept the terms to start the download:

Run the installer on an Windows server operating system with administrative priviledges:

Now follow the steps from the installer:

Sign in with your Azure AD credentials:

Once the setup finished you can continiue in the Azure portal:

Switch back to https://portal.azure.com into Azure AD in the Azure AD application proxy page:

Here you should see the currently registered connector on the server:

Firstly we want to create a new Connector group to order our services. So click on „+ New Connector Group“. Set the name, define your connector service and configure the location it is running at:

Finish by clicking „+Create“.

Our connector should now be moved from the default group to our new group:

You have successfully setup and configured an Azure AD application proxy. Continiue with this guide to publish your first application.

Publish an Internal Application

Now that we have setup the connector we can create an application which is used to redirect an internal application over the service to the internet. Klick on „+ Configure an app“:

In this step we need to configure some parameters. First the name and the internal URL to your application from your OnPrem network. The application will create an redirect URL for the service. You can use the default tenant domain or if you have an custom domain than you can use your own. For the authentication you can go with Azure AD or Passthrough. I choose Azure AD. The last step is to select the used Connector group. The connector needs to be in the OnPrem network to contact your application and work as an reverse proxy:

Click on create to finish the deployment. Wait a few minutes and the you can use your application from the internet secured by Azure AD authentication.