Presentation is loading. Please wait.

Presentation is loading. Please wait.

Azure AD Application Proxy

Published byLesley Gordon Modified over 5 years ago

Similar presentations

Presentation on theme: "Azure AD Application Proxy"— Presentation transcript:

1 Azure AD Application Proxy
Rick Leos uConnect Administrator IET - Enterprise Applications and Infrastructure Services University of California, Davis (530)

2 Business Intelligence Office Tableau
Requirements: Authentication utilizing Active Directory Authorization utilizing Active Directory Groups Must use Multi-factor authentication Must use reverse web proxy

3 Business Intelligence Office Tableau
Deployment option 1: Active Directory connection provides AuthN & AuthZ but no MFA Deployment option 2: SAML provides AuthN & MFA but no AuthZ application can not use groups claims in SAML ticket. Requires custom process to sync AD groups to internal roles in Tableau Additional infrastructure for reverse web proxy Disadvantage: Option 1: would require users to connect to VPN with MFA to gain access to application Option 2: Custom process needed to maintain sync of AD groups to internal Tableau roles.

4 Business Intelligence Office Tableau
How do we get all the benefits of option 1 & 2 without any of the disadvantages?

5 Azure AD Application Proxy
Cloud-scale reverse proxy Secure remote access for web applications hosted on-premises with pre-auth, conditional access and two-step verification. Capable of providing Single sign-on experience. Using Integrated Windows Authentication, Linked sign-on (ADFS to ADFS), Header- based sign-on, Password-based sign-on (requires browser extension ) No inbound connections through your firewall, VPN, DMZs, edge servers, or other complex infrastructures. Pass-through proxy mode available, non default.

6 Azure AD Application Proxy
What kind of applications work with Application Proxy? Web applications that use Integrated Windows Authentication for authentication Web applications that use form-based or header-based access Web APIs that you want to expose to rich applications on different devices Applications hosted behind a Remote Desktop Gateway Rich client apps that are integrated with the Active Directory Authentication Library (ADAL)

7 Microsoft Azure On-Premises Network 1. User goes to site. AD ADFS
On-Premises Internal Network 1. User goes to site. Microsoft Azure AD Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue Connector Group Connector 2 (CNAME aggiedash-dev-ucdavis365.msappproxy.net)

8 Microsoft Azure On-Premises Network
On-Premises Internal Network 2. User provides address/ UPN Microsoft Azure AD Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue Connector Group Connector 2

9 Microsoft Azure On-Premises Network
On-Premises Internal Network 3. Proxy forwards user request to Azure AD Microsoft Azure AD Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue Connector Group Connector 2

10 Microsoft Azure On-Premises Network
On-Premises Internal Network 4. Azure AD looks up address to determine if federated or non federated login. Microsoft Azure AD Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue Connector Group Connector 2

11 Microsoft Azure On-Premises Network
On-Premises Internal Network 5. Request is sent to Active Directory Federation Services for user authentication Microsoft Azure AD Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue Connector Group Connector 2

12 Microsoft Azure On-Premises Network
On-Premises Internal Network 6. User authentication is preformed by Active Directory Microsoft Azure AD Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue Connector Group Connector 2

13 Microsoft Azure On-Premises Network 7. User has valid SMAL ticket Duo
Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue Connector Group Connector 2

14 On-Premises External Network
8. Condition Access policy requires user to MFA, proxy sends request to ADFS. Microsoft Azure Duo Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue Connector Group Connector 2

15 Microsoft Azure On-Premises Network
9. ADFS triggers DUO MFA for user. User approves request. Microsoft Azure Duo Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 On-Premises External Network ADFS Azure AD Request/Response Queue Connector Group Connector 2

16 Microsoft Azure On-Premises Network
10. All access polices meet, reverse proxy fulfills request to internal resource. Microsoft Azure Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 Azure AD Request/Response Queue Connector Group Connector 2

17 11. Request is queued for a connector.
Microsoft Azure Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 Azure AD Request/Response Queue Connector Group Connector 2

18 12. A connector authorized for the app accepts user session.
Microsoft Azure Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 Azure AD Request/Response Queue Connector Group Connector 2

19 13. Session created from Azure Proxy service to connector.
Microsoft Azure Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 Azure AD Request/Response Queue Connector Group Connector 2

20 14. Connector connects to internal app.
Microsoft Azure Azure AD Application Proxy Service On-Premises Network Connector 1 Connector 3 Azure AD Request/Response Queue Connector Group Connector 2

21 How do user access the app?
1. Directly going to proxy external url 2. myapps.microsoft.com 3. Installing the “My Apps” from Google Play or iTunes 4. office365.ucdavis.edu or and clicking the titles icon top left.

22 Demo

Download ppt "Azure AD Application Proxy"

Similar presentations

Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.

Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.

Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
Microsoft Ignite /16/2017 4:55 PM

Microsoft Ignite /16/2017 4:55 PM
Sessions about to start – Get your rig on!. Notes from the field – Implement Hybrid Search and OneDrive for Business Chris Zhong - Microsoft Aaron Dinnage.

Sessions about to start – Get your rig on!. Notes from the field – Implement Hybrid Search and OneDrive for Business Chris Zhong - Microsoft Aaron Dinnage.
Confidential FullArmor Corp. 2015 Platform for SaaS and mobile apps to remotely access, migrate, and sync Active Directory resources with the cloud ADanywhere.

Confidential FullArmor Corp Platform for SaaS and mobile apps to remotely access, migrate, and sync Active Directory resources with the cloud ADanywhere.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
IT can provide users with a common identity across on-premises or cloud- based services, leveraging Windows Server Active Directory and Azure Active.

IT can provide users with a common identity across on-premises or cloud- based services, leveraging Windows Server Active Directory and Azure Active.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Active Directory Integration with Microsoft Office 365

Active Directory Integration with Microsoft Office 365
Conditional access DirectAccess & automatic VPN Desktop Virtualization.

Conditional access DirectAccess & automatic VPN Desktop Virtualization.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.

Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.

ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

Similar presentations

Ads by Google