On-Premises App Integration with Application Proxy

On-Premises App Integration with Azure AD Application Proxy – Complete Guide for SC-300

Why Is On-Premises App Integration with Application Proxy Important?

Organizations frequently have legacy or internal web applications hosted on-premises that employees, partners, or contractors need to access. Traditionally, this required VPN connections, which are complex to manage, expensive to maintain, and can introduce security risks. Azure AD Application Proxy solves this problem by providing secure remote access to on-premises web applications without requiring a VPN.

For the SC-300 (Microsoft Identity and Access Administrator) exam, understanding Application Proxy is critical because it falls squarely within the domain of planning and implementing workload identities and managing access to enterprise applications. Microsoft expects candidates to know how to configure, secure, and troubleshoot Application Proxy deployments.

---

What Is Azure AD Application Proxy?

Azure AD Application Proxy is a feature of Azure Active Directory that enables users to access on-premises web applications from outside the corporate network. It acts as a reverse proxy service, brokering connections between external users and internal applications.

Key characteristics include:

• No inbound firewall ports required – The connector makes outbound connections only, so no inbound ports need to be opened in the corporate firewall.
• No VPN needed – Users connect through Azure AD, eliminating the need for traditional VPN infrastructure.
• Single Sign-On (SSO) – Integrates with Azure AD authentication, supporting SSO methods such as Kerberos Constrained Delegation (KCD), header-based authentication, password-based SSO, and SAML-based SSO.
• Conditional Access support – On-premises apps published through Application Proxy can leverage Azure AD Conditional Access policies, including MFA, device compliance, and risk-based policies.
• Azure AD Premium P1 (or higher) license required – Application Proxy is a premium feature.

---

How Does Application Proxy Work?

The architecture involves three main components:

1. Azure AD Application Proxy Service (Cloud)
This is the cloud-hosted service that acts as the intermediary between the user and the on-premises application. Users authenticate against Azure AD first, then the service routes the traffic to the on-premises connector.

2. Application Proxy Connector (On-Premises)
This is a lightweight agent installed on a Windows Server within the corporate network (or a network that has access to the target application). Key facts about the connector:
• It runs as a Windows service on a domain-joined Windows Server (Windows Server 2012 R2 or later).
• It makes outbound HTTPS (port 443) connections to the Application Proxy cloud service — no inbound connections are needed.
• Multiple connectors can be installed for high availability and load balancing.
• Connectors can be organized into Connector Groups to direct specific applications to specific connectors (useful in multi-site or segmented network scenarios).
• The connector handles the Kerberos Constrained Delegation (KCD) negotiation when SSO to the back-end application uses Windows Integrated Authentication.

3. The On-Premises Web Application
This is the target application (e.g., SharePoint on-premises, an internal CRM, intranet portal, or any HTTP/HTTPS-based application).

Traffic Flow Step-by-Step:

1. The user navigates to the external URL (e.g., https://app.msappproxy.net or a custom domain like https://app.contoso.com).
2. Azure AD authenticates the user (applying Conditional Access policies, MFA, etc.).
3. After authentication, a token is sent to the Application Proxy cloud service.
4. The cloud service forwards the request to the on-premises Application Proxy connector via the persistent outbound connection.
5. The connector forwards the request to the internal web application, optionally performing SSO (e.g., via KCD).
6. The response travels back through the connector → cloud service → user's browser.

---

Key Configuration Steps

Step 1: Install and Register the Connector
• Download the connector from the Azure portal (Azure AD → Application Proxy).
• Install it on a domain-joined Windows Server with access to the target application.
• During installation, sign in with a Global Administrator or Application Administrator account to register the connector with your Azure AD tenant.

Step 2: Publish the Application
• In Azure AD → Enterprise Applications → New Application → Add an on-premises application.
• Configure the Internal URL (the URL used inside the corporate network, e.g., https://intranet.contoso.local).
• Configure the External URL (the URL users will access from outside, e.g., https://intranet-contoso.msappproxy.net or a custom domain).
• Select the Connector Group to use.
• Choose a Pre-Authentication method: Azure Active Directory (recommended) or Passthrough.

Step 3: Configure Single Sign-On
• Choose the appropriate SSO mode based on the application's authentication method:
  - Windows Integrated Authentication (WIA): Use Kerberos Constrained Delegation. Requires configuring a Service Principal Name (SPN) and delegation settings in Active Directory.
  - Header-based authentication: Supported natively or via integration with PingAccess.
  - Password-based SSO: Azure AD stores and replays credentials.
  - SAML SSO: For applications that support SAML 2.0.
  - Linked SSO: Simply redirects users.

Step 4: Assign Users and Groups
• Assign Azure AD users or groups to the enterprise application to control who can access it.

Step 5: Apply Conditional Access Policies (Optional but Recommended)
• Create Conditional Access policies targeting the published application to enforce MFA, device compliance, session controls, etc.

---

Important Concepts for the SC-300 Exam

Connector Groups:
• Allow you to assign specific connectors to specific applications.
• Useful when you have multiple data centers or network segments.
• Each connector can belong to only one connector group.
• A connector group must have at least one connector assigned for published applications to function.

Custom Domains:
• By default, applications get an *.msappproxy.net URL.
• You can configure custom domains (e.g., app.contoso.com) by uploading a wildcard or specific SSL certificate and configuring DNS CNAME records.
• Custom domains provide a better user experience and can enable seamless SSO with matching internal/external URLs.

Kerberos Constrained Delegation (KCD):
• Required when the back-end application uses Windows Integrated Authentication.
• The connector's computer account must be granted delegation rights in Active Directory to the target application's SPN.
• The connector must be installed on a domain-joined server in the same AD forest (or a trusted forest) as the application.

High Availability:
• Install multiple connectors (at least two per connector group) for redundancy.
• Connectors are stateless — if one fails, traffic is automatically routed to another.

Network Requirements:
• Connectors require outbound access to the Azure AD Application Proxy service on ports 80 and 443.
• No inbound firewall rules are required — this is a key exam point.
• Connectors also need access to *.msappproxy.net, *.servicebus.windows.net, and Azure AD login endpoints.

Pre-Authentication Options:
• Azure Active Directory: Users must authenticate with Azure AD before reaching the application. This enables Conditional Access, MFA, and SSO integration.
• Passthrough: No Azure AD pre-authentication; the request is passed directly to the application. Conditional Access and Azure AD SSO are NOT available with this option.

Licensing:
• Azure AD Application Proxy requires Azure AD Premium P1 or P2 licenses.

---

Common Exam Scenarios and How to Handle Them

Scenario 1: "Users need to access an on-premises SharePoint site without a VPN, and MFA must be enforced."
→ Publish the SharePoint site using Application Proxy with Azure AD pre-authentication. Configure a Conditional Access policy requiring MFA. Configure SSO using KCD.

Scenario 2: "The on-premises application uses header-based authentication."
→ Publish the app via Application Proxy and configure header-based SSO (natively supported or via PingAccess integration).

Scenario 3: "You need to ensure high availability for Application Proxy."
→ Install multiple connectors in the same connector group. Connectors are stateless and provide automatic failover.

Scenario 4: "An application is in a DMZ and the connector cannot reach it."
→ Install a connector on a server that has network access to the application, or create a separate connector group with connectors in the appropriate network segment.

Scenario 5: "You want users to see a friendly URL instead of msappproxy.net."
→ Configure a custom domain on the Application Proxy application, upload the SSL certificate, and create a DNS CNAME record.

---

Exam Tips: Answering Questions on On-Premises App Integration with Application Proxy

1. Remember: No inbound ports. Application Proxy connectors use outbound HTTPS connections only. If a question mentions opening inbound firewall ports for Application Proxy, that answer is incorrect.

2. Know the licensing requirement. Application Proxy requires Azure AD Premium P1 or P2. If a scenario mentions a free or basic Azure AD tier, Application Proxy is not available.

3. Understand pre-authentication options. If the question requires Conditional Access or MFA, the pre-authentication method must be set to Azure Active Directory, not Passthrough. Passthrough bypasses Azure AD authentication entirely.

4. Connector placement matters. The connector must be installed on a server that has network access to the internal application. It must be a domain-joined Windows Server for KCD scenarios.

5. KCD requires AD configuration. If the question involves SSO to an app using Windows Integrated Authentication, look for answers that mention configuring SPNs and delegation in Active Directory. The connector's machine account needs delegation rights.

6. Connector Groups are key for multi-site scenarios. If the question describes applications in different data centers or network segments, the answer likely involves creating separate connector groups with connectors in each location.

7. Custom domains require a certificate and DNS. If a question asks about using a custom URL, remember you need to upload an SSL certificate and configure a CNAME record pointing to the msappproxy.net address.

8. High availability = multiple connectors. Always recommend at least two connectors per connector group for production environments. The connectors are stateless and load balance automatically.

9. Watch for distractor answers involving WAP (Web Application Proxy). WAP is the older AD FS-based solution. Application Proxy is the Azure AD-native solution that does not require AD FS. If the question is about Azure AD and modern identity, Application Proxy is typically the correct choice.

10. Application Proxy supports HTTP and HTTPS applications only. It is not designed for non-web protocols like RDP or SSH (though there are workarounds with Remote Desktop Gateway). If the question asks about publishing non-HTTP applications, Application Proxy alone is not the answer.

11. When a question mentions "workload identity" in the context of Application Proxy, remember that the published application is represented as an Enterprise Application (service principal) in Azure AD. You manage access through user/group assignments and Conditional Access just like any other enterprise app.

12. Elimination strategy: If you see an answer choice that requires VPN configuration, opening inbound ports, or installing AD FS for a scenario that simply asks about remote access to an on-premises web app via Azure AD, eliminate it. Application Proxy is designed to avoid all of these.

13. Read carefully for SSO method clues. The type of back-end authentication determines the SSO method: WIA → KCD, claims-based → SAML, legacy forms-based → password-based SSO, APIs/microservices → header-based.

By mastering these concepts and tips, you will be well-prepared to answer any SC-300 exam question related to publishing on-premises applications with Azure AD Application Proxy.