Next in the lineup of the cool news we’re sharing this week is a set of enhancements we’ve added to the preview of the Azure AD Application Proxy. Azure AD Proxy is lightweight and fast way to give employees and partners in your Azure AD tenant access to on premise applications. Our goal is to make it easy to give cloud users access to apps like SharePoint, without having to manage DMZ’s or poke holes through corporate firewalls.
These enhancements integrate the App Proxy more completely into the end-to-end Azure AD experience from both the end-user and administrator user experience and security perspective:
- Pre-authentication is now done using Azure AD prior to passing user requests across the proxy.
- Admins can use Azure AD users and groups to grant access to on-premises applications like SharePoint.
- Tiles linking to on-premises applications are now included in our myapps.microsoft.com app launcher making it easy for users to get to all the web apps they use both on-premises and in the cloud.
I’ve asked Meir Mendelovich & Arieh Bibliowicz two of the PM’s in our application proxy team in Israel to do a quick write up for you with the details of these new capabilities.
I hope you’ll find this new set of options as exciting and useful as we do!
And as always, we’re looking forward to any feedback of suggestions you have.
Alex Simons (Twitter: @Alex_A_Simons)
Director of PM
Microsoft Identity and Security Division
Since introducing Azure AD Application Proxy, you have given us amazing responses! From the fact that any on-premises Web application can be added to Azure AD with minimal effort and without modification, to the simple and fast setup procedure of the service.
Today, in TechEd Europe, we are announcing the next phase of Azure AD Application proxy with three key enhancements being added to the service:
Pre-Authentication – limit access only to authenticated Azure AD users
You can now enable Azure AD pre-authentication for the applications published through Azure AD Application Proxy. Before users access the corporate network, Azure AD Application Proxy will ensure that the users are both authenticated and authorized to access this on-prem application. This is done by leveraging Azure AD as the identity provider for Azure AD Application Proxy, which means that all authentication settings that you have defined in Azure AD will apply, including multi-factor authentication, federated login, and branded login pages, to name a few.
Pre-authentication using Azure AD also means that the rich functionality, high scale, availability, and security of Azure AD is now available for your on-premises applications. Your applications also benefit from our security capabilities such as Distributed Denial of Service (DDoS) protection, automatic security updates, auditing and anomaly detection.
Here is how this new option appears in the application publishing wizard:
Fig 1: Adding an internal application and setting the pre-authentication method to Azure Active Directory
We will still have the option to add applications without pre-authentication, option we call passthrough.
Authorize access based on user and group assignments
If you choose to use pre-authentication, you can define who can access the application by assigning Azure AD users and groups to each application in the same way you manage access to SaaS applications giving you a single, unified admin experience for all of your applications. Users and groups may be created directly on Azure AD or originated from on-premises Active Directory that is synced to Azure AD.
Here is the users and group assignment page:
Fig 2: Admin experience for granting members of the “Marketing” group in Azure AD access in to an internal SharePoint site
An interesting usage scenario is to use Azure AD self-service group management to regulate access to on-prem applications. This is done by adding a group to an application that users Azure AD App Proxy and then letting employee request access to that group using our built in Self-Service Group Management feature. These requests can optionally be approved by a designated group owner as well. This is a very simple method to regulate access while delegating user management to the application owners in the organization.
On-premises applications in the Azure AD Access Panel
Your on-premises applications are now also available in the Azure AD Access Panel, giving users a single access point to all their applications: SaaS, home grown, or on-prem. The Azure AD Access Panel also takes into account user and group assignments limiting the availability of on-premises pre-authenticated applications to users that have been assigned to them – directly or through a group.
We are constantly improving and adding new features to Azure AD Application Proxy. Our topmost priority right now is to make it enterprise ready and declare the service as Generally Available, which we plan to do by the end of this calendar year.
On the functional side, we plan to add backend single sign-on (SSO) capabilities to on-premises Windows Integrated Auth (Kerberos) authenticated applications such as SharePoint, CRM, Outlook Web Access and many home-grown applications running on IIS.
There are many more things we want to add to the service and we always like to hear your feedback, so if you have something to tell us, send us an e-mail to firstname.lastname@example.org.
Want to learn more?
For all the details on how to configure Application Proxy and these new features see our MSDN documentation.
If you are in TechEd Europe this week in Barcelona make sure you attend our session: EM-B318 Free Your Apps: Introducing Microsoft Azure Active Directory Application Proxy and Windows Server Web Application Proxy. We would also be happy to meet you in person and hear your feedback. Shoot us an e-mail to email@example.com or just look for us in Ask the Experts evening.
Thanks for your time and we’ll hope to see you in Barcelona!
Meir Mendelovich & Arieh Bibliowicz