Azure AD Application Proxy: Workflow and Best Practices

What Is Azure AD Application Proxy?

Azure Active Directory (AD) offers an Application Proxy feature that lets you access on-prem web applications using a remote client. It consists of two main components:

• Application Proxy service—runs in the cloud
• Application Proxy connector—runs on on-premises servers

The service and connector interact to securely transmit user sign-on tokens from Azure AD to a web application.

Here are several use cases for Application Proxy:

• Application Proxy handles web applications using Integrated Windows authentication for header or form-based access.
• It also supports applications protected by a Remote Desktop Gateway and rich client applications integrated with MSAL (Microsoft Authentication Library).
• You can use Application Proxy with web APIs exposed to rich apps on different devices.
• Application Proxy works with applications hosted behind Remote Desktop Gateways.

Application Proxy lets you provide remote users with access to your internal resources without using a reverse proxy or virtual private network (VPN). However, you should not use this service for internal users on a corporate network because it can introduce performance issues.

Azure AD Application Proxy is only available in Premium licenses. Learn more in our guide to Azure AD premium (coming soon)

In this article:

• How Azure App Proxy Works
• Best Practices for Publishing Applications via Application Proxy
  • Use Connector Groups
  • Set Backend Application Timeout
  • Translate URLs in Headers and Application Body
  • Use Appropriate Cookie Types
• Azure AD Application Proxy with PathLock

How Azure App Proxy Works

Azure Application Proxy lets you publish external public HTTP/S URL endpoints in the Azure cloud. These URL endpoints connect to the internal URL of your organization’s application server.

On-premises web applications can integrate with Azure AD to enable single sign-on (SSO). End users can then access web applications that are hosted on-premises in the same way they’d access an SaaS application or Microsoft 365.

Key components of Azure App Proxy are:

• The Application Proxy service—runs in the cloud
• The Application Proxy connectors—lightweight agents that run on an on-prem server
• Azure AD—the identity provider

Together, all three components allow end-users to leverage SSO to access on-premises web applications.

Once signed in, an external user can access on-premises web applications using My Apps or a familiar URL from a personal iOS/Mac device or Windows desktop. For instance, Application Proxy provides SSO and remote access to Remote Desktop, Tableau, SharePoint sites, web Outlook, and custom line-of-business (LOB) applications.

Image Source: Azure

The diagram below provides an overview of how Application Proxy and Azure AD authentication services work together, offering single SSO to on-premises applications.

Image Source: Azure

The Azure Application Proxy workflow for end users is as follows:

1. Once users gain access to the application via an endpoint, Application Proxy directs them to the Active Directory sign-in page. If you configured conditional access policies, it checks certain conditions, ensuring the user complies with the security requirements of your organization. 

2. If sign-in is successful, Azure AD transfers a token to the client device of the user.

3. The client transfers the token to Application Proxy and the service accesses the token’s security principal name and user principal name (SPN/UPN).

4. The Application Proxy service sends the request to the Application Proxy connector.

5. The connector carries out any other authentication steps (optional according to the authentication method). The connector then requests the application server’s internal endpoint and forwards the request to the application.

6. The connector forwards the application server’s response to Application Proxy.

7. Application Proxy transfers the server’s response to the user. 

Best Practices for Publishing Applications via Application Proxy

Here are a few best practices that can help you make applications available via the Azure AD Application Proxy.

Leverage Connector Groups

Allocate a connector group to publish each application. All connector groups have two or more connectors to provide scale and high availability. Three connectors are ideal when you might need to service the machine at any time.

Set Timeouts for Backend Applications

Backend application timeout is useful if the application might take over 75 seconds to process each client transaction.

For example, consider a client that forwards a query to a web app, which acts as a database’s front end. The front end forwards this query to the backend database server, awaiting a reply. However, before a response arrives, the client-side of the conversation has timed out. Setting the timeout to “long” gives 180 seconds so that the backend can complete longer transactions.

Enable URL Translation in Headers and Application Body

Enable this option for situations where you can’t configure internal DNS to match your organization’s public namespace (known as Split DNS). If the application doesn’t need an original host header in client requests, keep this value as “yes”.

Enable application body link translation for your application if you require responses returned to the client to translate the links. This function provides the best translation of internal links found by the Application Proxy in CSS and HTML responses returned to the client.

Use the Right Cookies

Azure AD Application Proxy offers several cookie types:

• HTTP-only cookie—gives added security with Application Proxy including the HTTPOnly flag in the set-cookie HTTP response header. This setting assists with the mitigation of exploits, including cross-site scripting (XSS). Keep this set on “no” for user/clients agents that do not need to access the session cookie.
• Secure cookie—when you set a cookie using the Secure feature, the user agent (client-side application) only includes the cookie in an HTTP request sent over a secure TLS channel. You should enable this function to help mitigate the risk of an attacker compromising cookies via cleartext channels.
• Persistent cookie—lets Application Proxy session cookies persist after users close the browser. The cookies remain valid until a developer deletes them or they expire. This is useful for situations where rich applications (i.e., an Office application) access a document in a published web app, and the user is not prompted again for authentication. Be careful when enabling this feature, because persistent cookies can expose services to unauthorized access if you don’t compensate with additional security measures.

Azure AD Application Proxy with PathLock

Pathlock is the leader in Access Orchestration for business-critical applications. Staying compliant with Sarbanes-Oxley is a critical business requirement, and Pathlock Control helps to automate the compliance process. As a MISA member, Pathlock can bring these capabilities to users of Azure Active Directory, with a tight integration between the solutions.

Customers rely on Pathlock to streamline critical processes like fine grained provisioning, separation of duties, and detailed user access reviews. With Pathlock’s out-of-the-box integration to Azure Active Directory, customers can enjoy the best of both worlds, including:

• Coverage for the leading business applications, with support for key applications like SAP, Oracle, Workday, Dynamics365, Salesforce, and more
• Perform compliant provisioning at a transaction code or function level into both cloud and on-premise applications
• Define Separation of Duties (SOD) rules, both within an application and across them, and enforce them to prevent access risks and stay compliant
• Enrich User Access Reviews (UARs) with fine-grained entitlement details and usage about transactions performed with specific access combinations

Interested to learn more about the winning combination of Pathlock and Azure Active Directory? Request a demo today to see the solution in action!