Using Azure AD Application Proxy to Publish Internal Web Apps

Making it easier for users to access applications makes it easier for them to be produce wherever they are. Azure AD Application Proxy helps us to achieve these and may help you improve the site security too.

Using Azure AD Application Proxy, users can access applications from anywhere outside the corporate firewall without then need for VPN access and you can add MFA and security controls to apps that don’t natively support it.

With users working remotely, how are they accessing the internal line of business systems such as web applications that you have running? Chances are they may be having to use a VPN but Azure AD Application Proxy could provide you with a better solution.

Oftentimes, we work with customers to help them to move workloads to Microsoft Azure but what if you want or need to keep something on-premises?

Internal web applications have traditionally only been accessible behind VPN because making them externally accessible was either too costly, complex, or insecure. Having applications only accessible behind the VPN means that users may be limited how, when, and where they can access them so how can we get the best of both worlds: internal applications which are securely published but without the costs associated? With remote working at an all-time high due to COVID-19, could reducing the strain on your VPN solution improve performance for users that actually need to be on VPN?

What if, for example, your employees could access your time tracking, HR, or other workplace management systems from their smartphone or tablet enabling them to gain access to and submit data while on the move?

Azure AD Application Proxy enables these kinds of scenarios.

What is Azure AD Application Proxy?

A feature of Azure AD Premium P1 and P2, it is a solution that’s available free as part of your existing investment in Azure AD Premium. Using agents to broker connections from outside to inside, it allows you to publish applications to the web without needing to open any inbound firewall ports or anything complex.

Apps are created within Azure AD to support each of the web applications you wish to publish. Apps can optionally be published to specific users or groups limiting who can see the application as available and by fronting authentication and access with Azure AD Conditional Access, access to applications can be secured with the same policies that we use for the Microsoft 365 suite: location, client type, device type, and other restrictions all while adding options like Multi-factor Authentication too.

Fronting applications with Azure AD Application Proxy is a simple, effective, and low-cost option to build additional security into existing web applications where refactoring or reworking the application itself isn’t viable or possible.

How does Azure AD Application Proxy work?

The way it works is remarkably simple. You download and install the Azure AD Application Proxy Connector service: a small, headless service that runs on one or more servers in your environment. It supports Windows Server Core making it extremely lightweight and can be installed on workgroup machines in the DMZ meaning it doesn’t even need to be inside your domain network *.

* If you opt for a DMZ-based installation of Azure AD Application Proxy then it does limit your options for application authentication. You cannot use Kerberos-based authentication methods with DMZ-based deployments.

Each Connector Group can support multiple services: you don’t need to deploy a Connector Group for each application. Connector Groups scale easily too by simply adding capacity to existing Connectors by scaling up or adding additional Connectors and scaling out as you bring more applications or more users start working through the service.

Does it only work for Windows IIS web servers?

No, Azure AD Application Proxy doesn’t know or care what the underlying platform is. Your web applications can Windows IIS web servers, Linux Apache servers, or anything else.

What about high-availability?

Azure AD Application Proxy provides high availability at the service level by enabling you to deploy multiple agents in a Connector Group. When multiple Connectors are deployed in a Connector Group then the connections into the application from Azure AD are automatically load-balanced and distributed across them to provide high-availability and resiliency allowing you to perform maintenance on an individual connector without service downtime.

What is we have multiple datacenters? How is traffic routing handled?

By creating multiple Connector Groups in Azure AD you can deploy Connectors into each datacenter location. When an application lives in one datacenter you route it through that group; when an application lives in another datacenter you set it up in the other.

Using Windows PowerShell you can easily script failover runbooks to enable you to operate disaster recovery traffic routing to applications by shifting an application between Connector Groups when the application moves to another datacenter.

Can Azure AD Application Proxy only be used for on-premises workloads?

No, Azure AD Application Proxy will work anywhere that you have web applications deployed. If you have web servers running on-premises, in third-party hosting providers (a Co-Lo), as Infrastructure-as-a-Service virtual machines in Microsoft Azure or in Amazon AWS.

Simply deploy the Connectors as you would on-premises and it works just the same.

Migrating web applications to the cloud

Azure AD Application Proxy is a great solution for when applications cannot move but how do you know? What makes a good candidate for moving to services like Azure App Service and hosting your web apps as Platform-as-a-Service instances instead of having to feed and water an entire web server?

The Microsoft App Service Migration Assistant ( is a great tool for assessing your existing applications and determining their suitability.

Getting help with App Proxy or moving to the cloud

Whether you want to publish your applications where they are today or whether you want to assess your web applications to move to the cloud, Arcible can assist. Our Service Modernisation service can help you look at both approaches while our Web Hosting service can help you set-up new or move existing web applications to the cloud.

We can help you assess your existing workloads and find the best solution, bespoke for each as there isn’t a one-size-fits-all approach.

If you are interested in moving workloads to the cloud or if you want to look at publishing options and enabling your users to work for effectively remotely then get in touch with us to find out more.