Updated 8/21/2016

Azure AD Conditional access is now at general availability mode (GA) – published 07/28/2016

Supported applications:

  • Microsoft Office 365 Exchange Online
  • Microsoft Office 365 SharePoint Online
  • Dynamics CRM
  • Microsoft Office 365 Yammer
  • All of the 2,600+ SaaS applications from the Azure AD application gallery
  • On-premises app registered with Azure AD Application Proxy
  • LOB apps registered with Azure AD

Full list of supported application can be found from here.


I have been working with Enterprise Mobility Suite case (EMS) in last two months which has been interesting time in world of cloud and mobility. One of our goal has been to publish applications through AAD App Proxy and enable conditional access aka multi-factor authentication (MFA) to these applications when user is not inside corporate network.


  • Azure AD, EMS or Azure Multifactor-Authentication licenses and one of these licenses allocated to users
  • Azure AD Application Proxy enabled
  • Applications published through Azure AD App Proxy
  • Necessary claims configured to ADFS instance


Microsoft MFA has two different use case:

  • MFA on the cloud
  • MFA at on-premises which requires MFA server

In this case we are using MFA on the cloud with ADFS instance . Because we have federated domain users are authenticated against ADFS instance and we need to send information inside authentication token from onprem to Azure AD. Otherwise AAD is not able to identify where user is coming, inside or outside corporate network.


From the high level following configurations are needed

  1. Enable AAD App Proxy
  2. Download and install AAD App Proxy connector
  3. Publish applications through AAD App Proxy
  4. Assign permissions to user to use application and necessary license
  5. Configure ADFS instance to send necessary claims
  6. Enable Trusted IPs from Azure AD
  7. Enable conditional access to application from application level, not user level

Enable AAD App Proxy

Enabling AAD App Proxy is straightforward and easy to do. Navigate to https://manage.windowsazure.com and sign-in to your tenant. Select your Active Directory tenant and configure


Underneath configure and application proxy switch it as enabled. When turned enabled you can download AAD App Proxy Connector tool which needs to be installed to on-premises.


Download and Install connector

From the same page you can download AAD App Proxy connector. During installation connector tool registers itself to default tenant and you need to have global admin permissions to default tenant. I tried first to do this with synced account which had GA rights and regostration didn’t work. Then I created cloud based GA account and registration went through.

When connector or multiple connector server has been installed you can verify servers status from the same page manage connectors tab.

Publish application through AAD App Proxy

Navigate to your AAD Applications tab and select ADD


Select last option Publish and application….


Add application details: name, Internal URL and pre-authentication method. Names below are just examples and application which I have published earlier is called Intranet. This dummy IIS web site application is running at on-premises W2012 R2 server.


When hit okay your application has been published.


After that you can configure more settings for application like sso and assign user accounts and groups who can use the application. Single Sign-on will be covered at different post later on.



Configure ADFS Instance

Great guidance is found from here. You need to configure claims from Trusted IPs for federated users section. First claim definition from Microsoft guidance is needed only if you are using MFA Server at on-premises.

Edit Microsoft O365 Identity Platform trust


Add New claim rule


Pass through or filter incoming claim


Select Inside Corporate Network


Add second claim Keep users Sign In


Claim rule:

c:[Type == "http://schemas.microsoft.com/2014/03/psso"]
    => issue(claim = c);


Enable Trusted IPs


Enable Conditional Access to application

Final step is to configure conditional Access settings to application. In my case MFA challeng is only needed when user is coming outside corporate network.


When all configurations are in place you can access the application through O365 (https://portal.office.com) or MyApps portal (https://myapps.microsoft.com).

In my example I logon to myapps.microsoft.com portal and access application called Intranet which has been published through AAD App Proxy.


When accessing the application MFA challenge is activated (mfa registration made earlier) and my demo account is receiving a phone call to verify MFA challenge.


When second factor authentication is accepted my dummy IIS web site opens. This web site is located at on-premises W2012 R2 server.