Azure AD Application Proxy is an Azure AD feature for enabling access to on-premises web applications from remote clients. It can be used to provide secure access to on-premises applications from anywhere in the world. Additionally, it is possible to configure Single Sign-On (SSO) for integrating other line-of-business applications with Azure AD. Azure AD Application Proxy eliminates the need for deploying virtual private networks (VPN) or modification of firewall settings for allowing external traffic to access server resources using a proxy connector. With Azure AD Application Proxy, remote employees can access on-premises resources exactly as they would access their cloud applications.
Advantages of Using Azure AD Application Proxy
Azure AD Application Proxy not only simplifies access to internal resources but also makes it more secure. Here are some of the advantages of using Azure AD Application Proxy.
Simplifies Resource Access
An external URL or an internal application portal can be used to provide access to internal applications which is similar to accessing Office 365 and other software as a service (SaaS) applications.
Improves Application Security
Azure AD Application Proxy extends the authorization controls and security analytics capabilities of Azure to on-premises applications. This implies that certain important features such as Azure AD Conditional Access for identity management can be extended to authenticate users for accessing on-premises resources.
Reduces Infrastructure and Operational Costs
On-premises require complex infrastructure setups to run smoothly, efficiently, and securely. These typically require the implementation of demilitarized zones (DMZs), edge servers, along with expensive and complex firewalls. As a cloud-based solution, neither does Azure AD Application Proxy need such complex infrastructure nor any significant changes to the existing infrastructure.
When to Use Azure AD Proxy?
Azure AD Application Proxy is an ideal solution for providing access to on-premises resources to external resources outside the corporate network. Here are some scenarios in which Azure AD Application Proxy can be useful.
- Securing web applications that use Integrated Windows Authentication (IWA).
- Authenticating web applications that use form-based or header-based access.
- Exposing web APIs to rich applications that are device agnostic.
- Hosted applications that use Remote Desktop Gateway.
- Rich client apps with Microsoft Authentication Library (MSAL) integration.
Requirements for Azure AD Application Proxy Implementation
Azure AD Application Proxy is an extension of Azure AD to an on-premises environment. It is, therefore, not available with the free plan. Here are some of the considerations for implementing the Azure AD Application Proxy solution.
You will need an Azure AD Premium P1 or P2 plan which allows organizations to synchronize user identities from the on-premises directory or create them within the Azure AD tenants. This will pre-authenticate users before granting them access to Application Proxy published applications for allowing single sign-on (SSO) access.
Set up Conditional Access
Azure AD Application Proxy should be enabled only for external users as extending the feature to intranet users will increase latency. This setting can be controlled with Azure AD Condition Access in the Premium plans.
Domain and Certificate Requirements
Custom domains should have TLS/SSL certificates or alternatively standard, wildcard, or SAN-based certificates. Azure AD Application Proxy uses a Connector that runs on the on-premises server. This server and the server running the app must be domain joined and on the same domain or trusting domains.
Rights, Roles, and Service Limits
The installation of the Connector, application publishing, and administration requires admin access with the Application Administrator role to connect with Azure AD. It is also ideal to set service limits to avoid resource overconsumption.
Apps4Rent Can Help with Azure AD Application Proxy
Azure AD Application Proxy requires intricate planning for its implementation. Additionally, the Connectors can be installed on either physical on-premises hardware or hosted virtual machines. As a Microsoft CSP, Apps4Rent can assist you with dependable virtual machines and the right Azure plan for deploying Azure AD Application Proxy. We provide 24/7 phone, chat, and email support for Azure services. Contact us today for promotional prices on Azure plans and services.