Azure AD Application Proxy is a service provided by Microsoft that enables users to access on-premises web applications from anywhere using any device. This option is most suited when companies do not want their resources to be directly exposed to the internet. The service works by creating a secure tunnel between the device attempting to access the application and the on-premises network where the application resides.
Developing Integration for On-premises Apps
Step 1: Installing the Application Proxy Connector
This is your bridge communicating between Azure AD and any web application you select to publish. Multiple connectors can be installed for resilience and load balancing.
To install Application Proxy Connector, use the following steps:
- In the Azure portal, navigate to the Application Proxy page.
- Click “Download Connector Service”.
- On your on-premises server, run the installer accepting the terms and conditions.
- Once the installation process is complete, sign in with your Global Administrator account.
Step 2: Publishing Applications
After installing the Connector, your next phase is publishing your on-premises applications.
To publish your applications, follow these steps:
- In the Azure portal, navigate to the Application Proxy page.
- Click on “Add”.
- Enter the internal URL – the URL used by users within your private network.
- Select the Connector Group that will serve this app.
- Decide on a name for which users will see in the access panel.
Step 3: Test and Access Application
After publishing your application, the final phase is accessing the application from outside your organization.
To test and access the application:
- Sign in to the Azure portal as a user who has been assigned access.
- Open Access panel – http://myapps.microsoft.com/.
- Locate and click on your application.
- Verify that the connection to your application works as expected.
Security Features
Azure AD Application Proxy integrates natively with other Azure services, such as Conditional Access and Multi-factor Authentication (MFA) providing additional security.
For example, you could add a conditional policy that requires MFA when applications are accessed from outside the corporate network.
To configure Conditional Access policies:
- From the Azure portal, go to Azure Active Directory > Security > Conditional Access.
- Click on New policy, provide a relevant name, and then under Assignments > Users and groups, select the users and groups you want to include in the policy.
- Under Cloud or on-premises app, choose the on-premises apps that you published through Application Proxy.
- Under Conditions, specify the right set – for example, you might set a condition based on Sign-in risk.
- Under Access controls > Grant, select what the user needs to do to satisfy the policy. (Eg. Require Multi-factor Authentication).
- When everything is configured according to your requirement, set Enable policy to On.
- Verify the new policy by trying to reach your on-prem app from a device that falls under the conditions of the policy.
In conclusion, Azure AD Application Proxy is a simple and versatile way to ensure secure remote access to your on-premises applications, without requiring changes in your application infrastructure. Moreover, it gives you the advantage of utilizing Azure’s robust security services such as MFA and Conditional Access, further strengthening your security posture.
Practice Test
True or False: Azure AD Application Proxy is used to publish and manage on-premises applications for secure remote access.
- True
- False
Answer: True
Explanation: Azure AD Application Proxy provides secure remote access to on-premises web applications.
Which of the following protocols does Azure Application Proxy support? (choose all that apply)
- A. HTTP
- B. HTTPS
- C. IMAP
- D. SMTP
Answer: A, B
Explanation: Azure Application Proxy supports only web-based protocols including HTTP and HTTPS.
True or False: Azure AD Application Proxy does not provide a way to secure remote access to on-premises applications with Azure Active Directory’s Conditional Access.
- True
- False
Answer: False
Explanation: Azure AD Application Proxy provides a way to secure remote access to on-premises applications leveraging Azure’s Conditional Access.
Does Azure AD Application Proxy require VPN to provide access to on-premises applications?
- A. Yes
- B. No
Answer: B
Explanation: Azure AD Application Proxy does not require a VPN as it provides secure remote access and is designed to reduce network complexity.
True or False: Azure AD Application Proxy requires you to open inbound connections on your firewall.
- True
- False
Answer: False
Explanation: Azure AD Application Proxy works with outbound connections only, reducing security risks associated with inbound connections.
Which of the following can not be done using Azure AD Application Proxy?
- A. Securing remote access
- B. Publishing on-premises applications
- C. Configuring Single Sign-On
- D. Managing non-web-based applications
Answer: D
Explanation: Azure AD Application Proxy only manages web-based applications and does not support non-web-based applications.
Can Azure AD Application Proxy be used to pre-authenticate access to on-premises applications with Azure Active Directory?
- A. Yes
- B. No
Answer: A
Explanation: Azure AD Application Proxy is used to pre-authenticate access to on-premises applications with Azure Active Directory, providing an additional layer of security.
Which Azure service needs to be installed on the on-premises server for Azure AD Application Proxy to work?
- A. Azure AD Connect
- B. Azure Connect
- C. Azure App proxy Connector
- D. Azure Directory Connect
Answer: C
Explanation: Azure AD Application Proxy uses the Azure AD Application Proxy connector which needs to be installed on your local network.
True or False: Azure AD Application Proxy can be used to provide remote access to applications hosted on Azure.
- True
- False
Answer: False
Explanation: Azure AD Application Proxy is primarily used to provide secure remote access to on-premises applications rather than applications hosted on Azure.
Which of the following features are not supported by Azure AD Application Proxy (choose all that apply)?
- A. WebSocket
- B. UDP
- C. Smartcard authentication
- D. Private Networking
Answer: B, D
Explanation: Azure AD Application Proxy only supports web-based applications and protocols, which does not include UDP and Private Networking. However, WebSocket and smartcard authentication are supported.
Interview Questions
What is Azure AD Application Proxy in Microsoft?
Azure AD Application Proxy is a feature of Azure AD that allows users to access on-premises web applications from a remote client. It is a type of reverse-proxy service making these applications available to users outside the corporate network.
How does Azure AD Application Proxy provide secure access?
It uses Azure Active Directory’s Conditional Access features to secure access to the on-premises applications and ensure that only authenticated and authorized users can access them.
Can Azure AD Application Proxy be used for apps that use non-standard ports?
Yes, Azure AD Application Proxy can be used for apps that use non-standard ports by configuring the respective ports in the Application Proxy connector and the on-premises app.
What type of applications can be published using Azure AD Application Proxy?
You can publish any of your internal web-based applications, which includes apps hosted on IIS, Apache, and other web servers, with Azure AD Application Proxy.
What are some of the advantages of using Azure AD Application Proxy?
It allows remote access to web apps without a VPN, adds additional authentication measures, reduces attack surfaces by eliminating the need to expose applications to the internet, and allows for central control and monitoring of access policies.
Is it necessary to make any changes in the network infrastructure to use Azure AD Application Proxy?
No, Azure AD Application Proxy does not require any changes in your existing network infrastructure. It is deployed in the network perimeter and does not require a VPN or opening inbound ports.
What are the prerequisites for setting up Azure AD Application Proxy?
You need an Azure AD subscription, an on-premises server to install the Application Proxy connector, and a web application to publish.
What security protocols does Azure AD Application Proxy support?
Azure AD Application Proxy supports security protocols such as SAML, OAuth, and Kerberos Constrained Delegation (KCD).
How does the on-premises environment connect with Azure Active Directory in Application Proxy?
The on-premises environment connects with Azure AD through the use of connectors. The connectors are responsible for maintaining an outbound connection with your Azure AD.
Can Azure AD Application Proxy support load balancing?
Yes, Azure AD Application Proxy can support load balancing. If you have multiple connectors in a group, Azure AD automatically balances the traffic among them.
Can I use my custom domain with Azure AD Application Proxy?
Yes, you can use your custom domain with Azure AD Application proxy by adding a CNAME record to your domain’s DNS settings.
How does Azure AD preauthenticate users for on-premises apps?
Azure AD preauthenticates users by checking their identity before granting access to the on-premises app. This preauthentication can be done by using the user’s sign-in information or by device-based conditional access policies.
Can Azure AD Application Proxy work for apps hosted outside your corporate network?
No, Azure AD Application Proxy can only serve apps from within your corporate network.
What is the command to install a new Application Proxy Connector?
The command to install a new Application Proxy Connector is “AzureADApplicationProxyConnectorInstaller.exe”.
How can you monitor the performance of your Azure AD Application Proxy?
You can monitor the performance of your Azure AD Application Proxy using Azure Monitor, which provides you with metrics and logs for connectors and applications.