Azure AD Application Proxy Rick Leos uConnect Administrator IET - Enterprise Applications and Infrastructure Services University of California, Davis rmleos@ucdavis.edu (530) 752-1161

Business Intelligence Office Tableau Requirements: Authentication utilizing Active Directory Authorization utilizing Active Directory Groups Must use Multi-factor authentication Must use reverse web proxy

Business Intelligence Office Tableau Deployment option 1: Active Directory connection provides AuthN & AuthZ but no MFA Deployment option 2: SAML provides AuthN & MFA but no AuthZ application can not use groups claims in SAML ticket. Requires custom process to sync AD groups to internal roles in Tableau Additional infrastructure for reverse web proxy Disadvantage: Option 1: would require users to connect to VPN with MFA to gain access to application Option 2: Custom process needed to maintain sync of AD groups to internal Tableau roles.

Business Intelligence Office Tableau How do we get all the benefits of option 1 & 2 without any of the disadvantages?

Azure AD Application Proxy Cloud-scale reverse proxy Secure remote access for web applications hosted on-premises with pre-auth, conditional access and two-step verification. Capable of providing Single sign-on experience. Using Integrated Windows Authentication, Linked sign-on (ADFS to ADFS), Header- based sign-on, Password-based sign-on (requires browser extension ) No inbound connections through your firewall, VPN, DMZs, edge servers, or other complex infrastructures. Pass-through proxy mode available, non default.

Azure AD Application Proxy What kind of applications work with Application Proxy? Web applications that use Integrated Windows Authentication for authentication Web applications that use form-based or header-based access Web APIs that you want to expose to rich applications on different devices Applications hosted behind a Remote Desktop Gateway Rich client apps that are integrated with the Active Directory Authentication Library (ADAL)

Microsoft Azure On-Premises Network 1. User goes to site. AD ADFS On-Premises Internal Network 1. User goes to site. Microsoft Azure AD Azure AD Application Proxy Service On-Premises Network https://iet-internal.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu (CNAME aggiedash-dev-ucdavis365.msappproxy.net)

Microsoft Azure On-Premises Network On-Premises Internal Network 2. User provides email address/ UPN Microsoft Azure AD Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

Microsoft Azure On-Premises Network On-Premises Internal Network 3. Proxy forwards user request to Azure AD Microsoft Azure AD Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

Microsoft Azure On-Premises Network On-Premises Internal Network 4. Azure AD looks up email address to determine if federated or non federated login. Microsoft Azure AD Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

Microsoft Azure On-Premises Network On-Premises Internal Network 5. Request is sent to Active Directory Federation Services for user authentication Microsoft Azure AD Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

Microsoft Azure On-Premises Network On-Premises Internal Network 6. User authentication is preformed by Active Directory Microsoft Azure AD Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

Microsoft Azure On-Premises Network 7. User has valid SMAL ticket Duo Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

On-Premises External Network 8. Condition Access policy requires user to MFA, proxy sends request to ADFS. Microsoft Azure Duo Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

Microsoft Azure On-Premises Network 9. ADFS triggers DUO MFA for user. User approves request. Microsoft Azure Duo Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

Microsoft Azure On-Premises Network 10. All access polices meet, reverse proxy fulfills request to internal resource. Microsoft Azure Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

11. Request is queued for a connector. Microsoft Azure Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

12. A connector authorized for the app accepts user session. Microsoft Azure Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

13. Session created from Azure Proxy service to connector. Microsoft Azure Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

14. Connector connects to internal app. Microsoft Azure Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 Azure AD Request/Response Queue https://iet-internal.ucdavis.edu Connector Group Connector 2 https://aggiedash-dev.ucdavis.edu https://tableau-dev.ou.ad3.ucdavis.edu

How do user access the app? 1. Directly going to proxy external url 2. myapps.microsoft.com 3. Installing the “My Apps” from Google Play or iTunes 4. office365.ucdavis.edu or and clicking the titles icon top left.

Demo