I have been working last month with Azure AD Application Proxy and here is quick guide how to publish claim based application through AAD App Proxy.

Pre-requirements:

  • Claims aware application with ADFS RP trust
  • Application available from outside your network
  • Azure AD Application Proxy Connector installed and registered

First thing to do is to publish application from AAD and Microsoft has very good guidance how to do it

Publish Application through AAD Proxy

Navigate to your tenant and select applications and add from bottom of the screen

Blog2

Select “Publish an application that will be accessible from outside your network”

Blog3

Name: Name of the application

Internal URL: Should be the URL of the published application that is used to access the application from inside your private network

Preauthentication method: Passthrough or Pre-Authentication made by Azure AD

Blog4

After application is published assign permission to users or groups to use the application.

blog15

Blog5

When user permission to application has been granted navigate to advanced configuration page and confirm that:

  • If you chose Passthrough as your Preauthentication Method, make sure to select HTTPS as your External URL scheme.
  • If you chose Azure Active Directory as your Preauthentication Method, make sure to select None as your Internal Authentication Method.

Blog9

Blog8

Blog6

ADFS Configuration

Open ADFS console and claims aware application relaying party trust properties

  • On the Endpoints tab, under Endpoint type select WS-Federation
  • Under Trusted URL, enter the URL you entered in the Application Proxy under External URL and click OK (at picture below there are also second URL which is URL for ADFS itself from earlier setup)

Blog7

Test connection to application

Open browser and navigate to the application which in my case is found from following address

https://webapp-fetanet.msappproxy.net/claimapp/

When authentication request is redirect from AAD to my ADFS instance I need to authenticate against my on-premises Active Directory.

Blog10a

Blog11

Because multifactor authentication is required to all authentication requests which are coming outside my demo user “mona” needs to validate her identity also with second-factor authentication.

Blog12

After successful authentication claim based application opens

Blog14

Summary:

This was only one scenario how you can publish applications through AAD Application Proxy service. When AAD Proxy handles authentications at cloud WAP is not needed with this scenario.

There are lot of things still to be tested with AAD Application Proxy in coming weeks including:

  • SSO for on-prem IWA apps using KCD with Application Proxy & SSO for non-Windows Apps
  • Publish applications with your own domain name
  • Assign conditional access to applications