Azure AD - Access On-Prem Web Application with Secure Remote Access

Accessing On-premises web application securely from remote location


Gopi Narayanaswamy

3 years ago | 1 min read

Assume you have web application which is deployed in on-prem and you decided to the web application access with Multifactor authentication and accessed securely by remote users

Here is the solution with Azure AD, Azure Active Directory's Application Proxy provides secure remote access to on-premises web applications. After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal. For example, Application Proxy can provide remote access and single sign-on to Remote Desktop, SharePoint, Teams, Tableau, Qlik, and line of business (LOB) applications.

The Application Proxy offering includes a cloud service and an on-prem connector. The cloud service, called the Application Proxy Service, works with the Application Proxy Connector, which runs on an on-prem server, to securely pass user sign-on tokens from Azure AD to the on-prem web app being accessed.

Application Proxy works with:

·        Web applications that use Integrated Windows Authentication for authentication

·        Web applications that use form-based or header-based access

·        Web APIs that you want to expose to rich applications on different devices

·        Applications hosted behind a Remote Desktop Gateway

·        Rich client apps that are integrated with the Microsoft Authentication Library (MSAL)

How Application Proxy works

1.     After the user has accessed the application through an endpoint, the user is directed to the Azure AD sign-in page.

2.     After a successful sign-in, Azure AD sends a token to the user's client device.

3.     The client sends the token to the Application Proxy service, which retrieves the user principal name (UPN) and security principal name (SPN) from the token. Application Proxy then sends the request to the Application Proxy connector.

4.     If you have configured single sign-on, the connector performs any additional authentication required on behalf of the user.

5.     The connector sends the request to the on-premises application.

6.     The response is sent through the connector and Application Proxy service to the user


Created by

Gopi Narayanaswamy

Data Center, Cloud and Security Consultant - Design, Architecting, Penetration testing and Review with hands on Python, Rust, PowerShell, Azure Automation, Ansible, Terraform, API and other tools







Related Articles