Securing Remote Access with Azure AD Application Proxy

Securing Remote Access with Azure AD Application Proxy

03/14/2025

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in implementing and configuring Azure AD Application Proxy to secure remote access to on-premises web applications. In a hybrid work environment, where users need to access internal resources from anywhere, the security of this access is fundamental. Azure AD Application Proxy provides a secure, simplified solution for publishing on-premises web applications to remote users without the need for complex VPNs or DMZs [1].

Introduction

Traditionally, remote access to internal applications required setting up virtual private networks (VPNs) or exposing applications to perimeter networks (DMZs), which added complexity and potential attack vectors. With the increasing adoption of remote and hybrid work models, organizations need a more secure and efficient way to provide access to legacy applications that still reside on-premises [2].

Azure AD Application Proxy is a feature of Azure Active Directory (now Microsoft Entra ID) that allows users to securely access on-premises web applications from any location. It acts as a reverse proxy, routing internal application traffic through Azure AD, which handles authentication and authorization. This means that on-premises applications can be accessed as if they were SaaS applications, leveraging Azure AD security features such as multi-factor authentication (MFA) and conditional access [3].

This practical guide will cover prerequisites, installing and configuring Application Proxy connectors, publishing different types of applications (web apps, Remote Desktop Web Client, SharePoint), integration with Conditional Access policies, and how to test and validate remote access. Step-by-step instructions, practical examples, and concise explanations will be provided so that the reader can implement, test, and validate these features. In addition, security tips, compliance checks and best practices will be discussed to ensure safe and efficient remote access, autonomously, professionally and reliably.

Why is Azure AD Application Proxy crucial for remote access?

  • Enhanced Security: Centralizes authentication and authorization in Azure AD, enabling the use of security features such as MFA, Conditional Access and Identity Protection for on-premises applications.
  • Simplified Access: Provides a single sign-on (SSO) experience for on-premises applications, making access easier for users.
  • Complexity Reduction: Eliminates the need for VPNs or DMZs for remote access, simplifying network architecture and reducing the attack surface.
  • Cost-effective: Uses existing Azure AD infrastructure, without the need for additional hardware or software for remote access.
  • Flexible Publishing: Supports publishing of a wide range of web applications, including header-based applications, SharePoint, Remote Desktop Web Client and other custom web applications.

Prerequisites

To configure Azure AD Application Proxy, you will need the following items:

  1. Licensing: An Azure AD Premium P1 or P2 subscription (or a license that includes these features, such as Microsoft 365 E3/E5) [4].
  2. Administrative Access: An account with the role of Global Administrator or Application Administrator in the Azure portal (https://portal.azure.com).
  3. Windows Server for Connector: A Windows Server (2012 R2 or later) server within your on-premises network that has connectivity to the applications you want to publish and to Azure AD. This server must have outbound internet access (ports 80 and 443 for Azure AD and 443 for the Azure AD Application Proxy service) [5].
  4. On-premises Web Applications: Internal web applications that you want to make accessible remotely.
  5. Custom Domain (Optional): A custom domain verified in Azure AD if you want to use friendly URLs for your published applications.

Step by Step: Configuring Azure AD Application Proxy

Let's configure Application Proxy and publish an application.

1. Installation and Configuration of the Application Proxy Connector

The connector is a lightweight agent that connectsto Azure AD and your on-premises applications.

  1. Open your browser and navigate to the Azure portal: https://portal.azure.com.
  2. Log in with an account that has the necessary permissions.
  3. In the top search field, type Azure Active Directory and select it from the results.
  4. In the left navigation pane, select Application Proxy under Manage.

  5. Click Download connector service.

  6. On the on-premises Windows server that you designated for the connector:

    • Download and run the connector installer (AADApplicationProxyConnectorInstaller.exe).
    • Follow the installation wizard instructions. During installation, you will be prompted to log in with your Azure AD global administrator credentials.
    • After successful installation, the connector service will start automatically.

  7. Back in the Azure portal, on the Application Proxy page, verify that the newly installed connector appears in the Connectors list with status Active.

    • Explanation: It is recommended to install at least two connectors for high availability and load balancing. Connectors update automatically, ensuring you always have the latest version.

2. Publishing an On-premises Web Application

Let's publish an internal web application. For this example, imagine that we have an internal web application called MinhaAppInterna accessible at http://minhaappinterna.local:8080.

  1. In the left navigation pane of Azure Active Directory, select Enterprise Applications under Manage.
  2. Click + New application.
  3. Click on Integrate any other application that you don't find in the gallery (Non-gallery).
  4. Basics:
    • Name: Give a meaningful name (e.g. MyInternal-ProxyApp).
    • Application type: Select On-premises application.

  5. Click Add.

  6. After creating the application, you will be redirected to the application management page. In the left navigation pane, select Application Proxy under Manage.

  7. Basic Settings:

    • Internal URL: Enter the internal URL of your application (ex: http://minhaappinterna.local:8080). Make sure the connector can resolve and access this URL.
    • External URL: This URL will be automatically generated based on your default Azure AD domain (e.g. myappinternal-proxy.msappproxy.net). You can set up a custom domain if you have one.
    • Pre-authentication method: Select Azure Active Directory (recommended for maximum security).
    • Connector Group: Select the default connector group or a custom group if you have multiple connectors.

  8. Click Save.

  9. In the left navigation pane, select Users and groups under Manage.

  10. Click +Add user/group and assign Azure AD users or groups that will be allowed to access this application.

    • Explanation: Assigning users and groups is crucial to controlling who can access the published application. Azure AD Application Proxy ensures that only authenticated and authorized users can reach the internal application.

3. Configuring Conditional Access for Published Applications

Conditional Access allows you to enforce additional security policies, such as MFA, for application access.

  1. In the left navigation pane of Azure Active Directory, select Security > Conditional Access.
  2. Click + New Policy.
  3. Basics:
    • Name: Give a meaningful name (ex: MFA_para_MinhaAppInternal).
  4. Responsibilities:
    • Identity users or workloads: Select the users and groups that will be affected by the policy (ex: Grupo_Usuarios_MinhaAppInterna).
    • Cloud applications or actions: Select MyAppInternal-Proxy.
  5. Access Controls:
    • Grant: Select Grant access and Require multi-factor authentication.
  6. Enable Policy: Select Enabled.

  7. Click Create.

    • Explanation: This policy will ensure that any user attempting to access MyInternal-ProxyApp will be prompted to perform multi-factor authentication, even if the on-premises application does not support MFA natively.

4. Publishing Other Types of Applications

Application Proxy can be used to publish other types of resources, such as RemoteDesktop Web Client and SharePoint.

4.1. Publishing Remote Desktop Web Client

  1. Follow the steps in Section 2 to create a new enterprise application.
  2. In the Application Proxy configuration:
    • Internal URL: Enter the URL of your Remote Desktop Web Client server (ex: https://rdweb.contoso.com/RDWeb).
    • External URL: Will be generated automatically.
    • Pre-authentication method: Azure Active Directory.
    • URL Translation Header Type: Backend URL Headers.
  3. Assign users/groups.

4.2. Publishing SharePoint On-premises

  1. Follow the steps in Section 2 to create a new enterprise application.
  2. In the Application Proxy configuration:
    • Internal URL: Enter the URL of your SharePoint site (ex: https://sharepoint.contoso.local).
    • External URL: Will be generated automatically.
    • Pre-authentication method: Azure Active Directory.
    • URL Translation Header Type: Backend URL Headers.
  3. Assign users/groups.

Validation and Testing

It is crucial to test remote access to ensure applications are securely accessible.

1. Testing Access to the Published Application

  1. Scenario: From a computer outside the corporate network (e.g. your home), open a browser and navigate to the external URL of MinhaAppInternal-Proxy (e.g. https://minhaappinterna-proxy.msappproxy.net).
  2. Expected Action: You should be redirected to the Azure AD login page. After entering your Azure AD credentials and, if configured, completing MFA, you should be redirected to the on-premises MyApp.
  3. Verification:
    • Confirm that the application loads correctly and that you can interact with it.
    • Check Azure AD login logs to confirm that access was authenticated through Application Proxy and that MFA was applied.

2. Checking Azure AD Login Logs

  1. In the Azure portal, navigate to Azure Active Directory > Monitoring > Inbound Logs.
  2. Filter the logs by Application (MyAppInternal-Proxy).
  3. Check login details including Conditional Access Status (should show Success and indicate that MFA has been applied).

Security Tips and Best Practices

  • Always Use Azure AD Pre-authentication: Azure AD pre-authentication is the most secure method as it ensures that only authenticated and authorized users reach your internal network. Avoid Pass-through unless strictly necessary for applications that cannot handle pre-authentication.
  • Conditional Access: Use Conditional Access to enforce additional security policies such as MFA, location restrictions, device compliance, etc. for all applications published via Application Proxy.
  • Connector Groups: Organize your connectors into groups to isolate applications or to have connectors closer to specific applications for better performance.
  • High Availability: Install at least two connectors on separate servers to ensure high availability and resiliency. Consider installing in different regions or availability zones, if applicable.
  • Connector Maintenance: Although connectors update themselves automatically, monitor their status in the Azure portal to ensure they are always active and healthy.
  • Connector Server Security: Secure the server where the connector is installed. Keep it updated, apply the principle of least privilege, and monitor it for suspicious activity.
  • Performance Optimization: For applications with high traffic or that require low latency, consider the location of the connectors in relation to the application servers and the available bandwidth.
  • Monitoring: Monitor Azure AD login logs and connector logs to detect suspicious activity or access issues.

Common Troubleshooting

  • Access Error (404, 500, etc.):
    • Check the internal URL: Make sure that the internal URL configured in the Application Proxy is correct and that the connector can access it directly from the server where it is installed.
    • Check the connector: Confirm that the connector is Active in the Azure portal. Restart the connector service on the server.
    • Check the connector group: Make sure the connector group assigned to the application hasm at least one active connector.
    • Local firewall: Check whether the firewall on the connector server or application server is blocking traffic.
  • Applications do not load correctly (rendering problems):
    • Header Translation: For some applications, you may need to adjust the URL Translation Header Type in the Application Proxy settings to Backend URL Headers or Frontend URL Headers.
    • Encoded links: Applications with hardcoded links to internal URLs may experience problems. Consider using Application Proxy's Link Translation or reconfiguring the application if possible.
  • SSO issues:
    • SSO Configuration: Check the SSO settings in the enterprise application. For applications that are not federated, you may need to configure password-based SSO or header SSO.
    • Kerberos Constrained Delegation (KCD): For applications that use Integrated Windows Authentication (IWA), verify that KCD is configured correctly in Active Directory for the connector.
  • Conditional Access blocking legitimate users:
    • Carefully review Conditional Access policies. Verify that users or groups are included or excluded correctly.
    • Use the What If tool in Conditional Access to simulate access and understand why a policy is being enforced or blocked.
  • Offline Connector:
    • Verify the connector server's network connectivity to Azure AD (outbound ports 80 and 443) and to the Application Proxy service (outbound port 443).
    • Check the Windows event logs on the connector server for service-related errors.
    • Make sure the Microsoft AAD Application Proxy Connector service is running.

Conclusion

Azure AD Application Proxy is a powerful and secure tool for extending access to on-premises web applications to remote users, aligning with the principles of the Zero Trust model. By centralizing authentication and authorization in Azure AD and eliminating the need for complex remote access infrastructures, organizations can simplify their security architecture while strengthening threat protection. Careful implementation, integration with Conditional Access, and ongoing monitoring are essential to maximize security benefits and ensure a fluid user experience. With this practical guide, security professionals and IT administrators will be well-equipped to configure, validate, and manage Azure AD Application Proxy, securing remote access to critical applications and strengthening their organizations' security posture.

References:

[1] Microsoft Learn. Publish local apps with Microsoft Entra Application Proxy. Available at: https://learn.microsoft.com/pt-br/entra/identity/app-proxy/overview-what-is-app-proxy [2] Microsoft Learn. Add a local application for remote access through Microsoft Entra Application Proxy. Available at: https://learn.microsoft.com/pt-br/entra/identity/app-proxy/application-proxy-add-on-premises-application [3] Microsoft Learn. Publish Remote Desktop with Microsoft Entra Application Proxy. Available at: https://learn.microsoft.com/pt-br/entra/identity/app-proxy/application-proxy-integrate-with-remote-desktop-services [4] Microsoft Learn. Microsoft Entra ID Licensing. Available at: https://learn.microsoft.com/pt-br/entra/identity/licensing-azure-active-directory [5] Microsoft Learn. Microsoft Entra Application Proxy connectors. Available at: https://learn.microsoft.com/pt-br/entra/identity/app-proxy/application-proxy-connectors [6] Microsoft Learn. Conditional Access on Microsoft Enter ID. Available at: https://learn.microsoft.com/pt-br/entra/identity/conditional-access/overview [7] Microsoft Learn. Troubleshoot Microsoft Entra Application Proxy connectors. Available at: https://learn.microsoft.com/pt-br/entra/identity/app-proxy/application-proxy-troubleshoot-connectors