- Microsoft Office 365 Exchange Online
- Microsoft Office 365 SharePoint Online
- Dynamics CRM
- Microsoft Office 365 Yammer
- All of the 2,600+ SaaS applications from the Azure AD application gallery
- On-premises app registered with Azure AD Application Proxy
- LOB apps registered with Azure AD
Full list of supported application can be found from here.
I have been working with Enterprise Mobility Suite case (EMS) in last two months which has been interesting time in world of cloud and mobility. One of our goal has been to publish applications through AAD App Proxy and enable conditional access aka multi-factor authentication (MFA) to these applications when user is not inside corporate network.
- Azure AD, EMS or Azure Multifactor-Authentication licenses and one of these licenses allocated to users
- Azure AD Application Proxy enabled
- Applications published through Azure AD App Proxy
- Necessary claims configured to ADFS instance
Microsoft MFA has two different use case:
- MFA on the cloud
- MFA at on-premises which requires MFA server
In this case we are using MFA on the cloud with ADFS instance . Because we have federated domain users are authenticated against ADFS instance and we need to send information inside authentication token from onprem to Azure AD. Otherwise AAD is not able to identify where user is coming, inside or outside corporate network.
From the high level following configurations are needed
- Enable AAD App Proxy
- Download and install AAD App Proxy connector
- Publish applications through AAD App Proxy
- Assign permissions to user to use application and necessary license
- Configure ADFS instance to send necessary claims
- Enable Trusted IPs from Azure AD
- Enable conditional access to application from application level, not user level
Enable AAD App Proxy
Enabling AAD App Proxy is straightforward and easy to do. Navigate to https://manage.windowsazure.com and sign-in to your tenant. Select your Active Directory tenant and configure
Underneath configure and application proxy switch it as enabled. When turned enabled you can download AAD App Proxy Connector tool which needs to be installed to on-premises.
Download and Install connector
From the same page you can download AAD App Proxy connector. During installation connector tool registers itself to default tenant and you need to have global admin permissions to default tenant. I tried first to do this with synced account which had GA rights and regostration didn’t work. Then I created cloud based GA account and registration went through.
When connector or multiple connector server has been installed you can verify servers status from the same page manage connectors tab.
Publish application through AAD App Proxy
Navigate to your AAD Applications tab and select ADD
Select last option Publish and application….
Add application details: name, Internal URL and pre-authentication method. Names below are just examples and application which I have published earlier is called Intranet. This dummy IIS web site application is running at on-premises W2012 R2 server.
When hit okay your application has been published.
After that you can configure more settings for application like sso and assign user accounts and groups who can use the application. Single Sign-on will be covered at different post later on.
Configure ADFS Instance
Great guidance is found from here. You need to configure claims from Trusted IPs for federated users section. First claim definition from Microsoft guidance is needed only if you are using MFA Server at on-premises.
Edit Microsoft O365 Identity Platform trust
Add New claim rule
Pass through or filter incoming claim
Select Inside Corporate Network
Add second claim Keep users Sign In
c:[Type == "http://schemas.microsoft.com/2014/03/psso"] => issue(claim = c);
Enable Trusted IPs
Enable Conditional Access to application
Final step is to configure conditional Access settings to application. In my case MFA challeng is only needed when user is coming outside corporate network.
In my example I logon to myapps.microsoft.com portal and access application called Intranet which has been published through AAD App Proxy.
When accessing the application MFA challenge is activated (mfa registration made earlier) and my demo account is receiving a phone call to verify MFA challenge.
When second factor authentication is accepted my dummy IIS web site opens. This web site is located at on-premises W2012 R2 server.