One of the issues with remote working is the need to run applications that are only available when you are in the office.
Deploy Azure AD Connect Health for ADFS. Azure AD Connect Health captures IP addresses recorded in the ADFS logs for bad username/password requests, gives you additional reporting on an array of scenarios, and provides additional insight to support engineers when opening assisted support cases. In Part 1 of Configuring Azure Application Gateway with AD FS we covered the existing architecture AD FS and the target AD FS architecture. Finally we deployed an Application Gateway with a basic configuration. So lets have a look at the logical configuration of what AD FS with a Application Gateway running a Web Application.
In the past this has meant running a Virtual Private Network (VPN) so that the remote device (usually a laptop) appears to be on the local area network (LAN). A very workable solution – but this requires infrastructure and isn’t very flexible. How many companies allow a user to install the corporate VPN software on their home PC?
The Azure AD Application Proxy could be the answer.
The Azure AD Application Proxy explained
The Azure AD Application Proxy is a remote access solution for on-premises resources that is included in all Azure AD Premium subscriptions. It allows you to easily publish your on-premises applications to users outside the corporate network.
Imagine a user, who is at home, who then remembers that they have not entered their expenses into the HR app, but the cut-off is tonight! They don’t have a work laptop, so they would normally have to head into the office. Instead, they switch on their home PC/tablet and navigate to MyApps.microsoft.com.
After they have authenticated using Azure AD, they can select the expenses system from the menu and launch the expenses web application. They get single sign-on (SSO) and are straight into booking their expenses.
Supported application types
![Gateway Gateway](/uploads/1/1/2/0/112071361/350441897.png)
The Azure Application Proxy supports a number of application types:
- Web applications that use Integrated Windows Authentication for authentication.
- Web applications that use form-based or header-based access.
- Web APIs that you want to expose to rich applications on different devices.
- Applications hosted behind a Remote Desktop Gateway.
- Rich client apps that are integrated with the Active Directory Authentication Library (ADAL).
As long as the application matches one of these then the application proxy is a viable solution. Even when accessing services over a remote desktop environment through a remote desktop gateway.
So, how does it work?
Active Directory Federation Services In Azure | Microsoft Docs
Let’s look at a high-level view of what’s going on:
First, the user accesses their MyApps page, which requires them to authenticate to Azure AD (using all of the conditional access policies that are in place) and then they select the application that they want to access.
This initiates a connection to the app proxy service, which places their request into a queue that is being monitored by the App Proxy Connector (on-premises). The connector then passes the request to the web server and sends the response back to the service which responds to the user.
Availability Sets
As part of the process, the proxy will also try to provide authentication to the application. This takes the user’s authentication details from Azure and then translates them to something that the application may understand.
This can be done with applications that support Kerberos Constrained Delegation (KCD) or SAML. It can also support password vaulting – storing an ID and password for an application securely in Azure.
![Azure Application Gateway Adfs Azure Application Gateway Adfs](/uploads/1/1/2/0/112071361/995953030.png)
At the same time, this can increase security for the application by allowing you to leverage Azure AD capabilities such as SSO, conditional access and MFA without making changes to the original application itself.
Azure Application Gateway Configuration
By adding in conditional access, the user can be validated through multi-factor authentication (MFA), depending on where they are coming from, what the device is, what application they are using and what level of risk the user is showing.