I have been working last month with Azure AD Application Proxy and here is quick guide how to publish claim based application through AAD App Proxy.
- Claims aware application with ADFS RP trust
- Application available from outside your network
- Azure AD Application Proxy Connector installed and registered
First thing to do is to publish application from AAD and Microsoft has very good guidance how to do it
Navigate to your tenant and select applications and add from bottom of the screen
Select “Publish an application that will be accessible from outside your network”
Name: Name of the application
Internal URL: Should be the URL of the published application that is used to access the application from inside your private network
Preauthentication method: Passthrough or Pre-Authentication made by Azure AD
After application is published assign permission to users or groups to use the application.
When user permission to application has been granted navigate to advanced configuration page and confirm that:
- If you chose Passthrough as your Preauthentication Method, make sure to select HTTPS as your External URL scheme.
- If you chose Azure Active Directory as your Preauthentication Method, make sure to select None as your Internal Authentication Method.
Open ADFS console and claims aware application relaying party trust properties
- On the Endpoints tab, under Endpoint type select WS-Federation
- Under Trusted URL, enter the URL you entered in the Application Proxy under External URL and click OK (at picture below there are also second URL which is URL for ADFS itself from earlier setup)
Test connection to application
Open browser and navigate to the application which in my case is found from following address
When authentication request is redirect from AAD to my ADFS instance I need to authenticate against my on-premises Active Directory.
Because multifactor authentication is required to all authentication requests which are coming outside my demo user “mona” needs to validate her identity also with second-factor authentication.
After successful authentication claim based application opens
This was only one scenario how you can publish applications through AAD Application Proxy service. When AAD Proxy handles authentications at cloud WAP is not needed with this scenario.
There are lot of things still to be tested with AAD Application Proxy in coming weeks including:
- SSO for on-prem IWA apps using KCD with Application Proxy & SSO for non-Windows Apps
- Publish applications with your own domain name
- Assign conditional access to applications