In addition to providing identity services, Azure AD also has features to help connect your on-premises applications and make them available as endpoints on the internet. The feature, known as Azure AD Application Proxy (sometimes referenced as Azure AD App Proxy or Azure App Proxy), provides a sort of gateway or conduit between your on-premises applications and Azure AD.
Important
For an on-premises application to be compatible with the Azure AD App Proxy connector service, it must have a web frontend, use Remote Desktop Gateway, or rich client apps that are integrated with the Microsoft Authentication Library. Azure AD App Proxy cannot publish standard Windows desktop applications.
After one or more Azure AD App Proxy Connectors are deployed, applications can be registered in Azure AD to use the connectors. When a user accesses the application, their request is relayed via the connector to the on-premises app. See Figure 9.14.
Figure 9.14 – Overview of authentication for a published app
Now that you have an understanding of the workflow, let’s start working with an app!
Configuring prerequisites
Azure AD Application Proxy has a few prerequisites that must be achieved before performing a deployment:
- An Azure AD Premium P1 or P2 license.
- At least one server running Windows Server 2012 R2 or 2016. Windows Server is also supported but requires the deployment of an additional registry key to enable communication.
- If Kerberos Constrained Delegation (KCD) is required, the machine must be domain-joined to the same directory where the applications are being published. Apps to be published must be configured to use Kerberos and have service principal names. For more information on configuring KCD, see https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-configure-single-sign-on-with-kcd.
- Outbound connectivity on port 80 for certificate revocation list (CRL) checking.
- Outbound connectivity on port 443 to *.msappproxy.net, *.servicebus.windows.net, login.windows.net, and login.microsoftonline.com.
Versions of the Azure AD App Proxy connector prior to 1.5.132.0 required many additional ports for communication. It is recommended that organizations deploy or update to the latest version of the connector.