Spark the future.

May 4 – 8, 2015Chicago, IL

Enable Your On-Premises Apps for the Cloud with Microsoft Azure Active Directory Application Proxy Meir MendelovichProgram Manager, Microsoft@MMendelovich

BRK3864

Application Access Scenarios

Forefront UAG/TMGWeb Application Proxy

+AD FS

Empower Enterprise Mobility

Protect your data

Enable your users

User IT

Unify your environment

People-centric approach

Devices Apps Data

Empower Enterprise Mobility

Protect your data

Enable your users

User IT

Unify your environment

People-centric approach

Devices Apps Data

Benefits

Azure Active

Directory

On-Premises

Applications

Remote Access as a ServiceEasily publish your on-prem applications to users outside the

corporate network

Extend Azure AD to on-premUtilize Azure AD as a central management point for all your apps

How it worksConnectors are deployed on corpnet

Multiple connectors can be deployed for redundancy and scale

The connector auto connects to the cloud service

User connects to the cloud service that routes their traffic to the resources via the connectors

Azure Active Directory

App AppApp

Corp

ora

te

Netw

ork

DM

Z

Connector Connector

Application Proxyhttps://sales-

contoso.msappproxy.net

http://sales

https://sales.contoso.com

Cloud scale for your on-prem appsAzure Active Directory

App AppApp

Corp

ora

te

Netw

ork

DM

Z

Connector Connector

Application Proxy

Access Panel Portal

Authentication + MFA

Reporting & Auditing

Security Monitoring

Authorization

4.9M organizations

1B-2B Authentications /

Day

430M identitiesSSO to 2,477 SaaS apps & Office 365

Multi Factor Authentication

Access Panel portal & app

Office 365 portal

Self-service workflow

Authorization based on user or groups

Reports, auditing and security monitoring based on big data and machine learning.More…

Demo

Directory prep:

1. Create a new directory

2. Create users and groups

3. Request Azure AD Premium trial on “licenses” tab

4. Assign the Azure AD Premium seats to users (including

admins)

Optional: add your domain name

Demo

App Proxy setup:1. Turn on App Proxy on the “configure” tab2. Download, install and register the connector3. Add a new proxy app4. Assign Users to appUse it

Demo

http://myapps.microsoft.comUsername: dean@contoso55.comPassword: password1!

Optional steps (part 1):

- Add to Office 365 App Launcher

- Use Azure AD self-service

- Multi-factor authentication (MFA)

Demo

Cloud Scale SecurityAll HTTP/S traffic is terminated in the cloud blocking most HTTP level attacks such as the Heartbleed bug.

Unauthenticated traffic filtered in the cloud – will not arrive on-prem.

No incoming connections to the corporate network – only outgoing connection to the Azure AD Application Proxy service

Internet facing service always up to date with latest security patches and server upgrades

Login abnormalities detection, reporting and auditing by Azure AD

Azure Active Directory

App AppApp

Corp

ora

te

Netw

ork

DM

Z

Connector Connector

Application Proxyhttps://sales-

contoso.msappproxy.net

SSO from the cloudSingle Sing-on experience from Azure Active Directory to on-prem applications

Connectors use the Azure AD token data to impersonate as the end user to the backend applications using Kerberos Constrained Delegation (KCD)

Support any application that uses Integrated Windows Authentication (IWA) such as SharePoint, Outlook Web Access and CRM.

No need to change the backend applications

No need to install agents on backend applications

No need to expose on-prem apps directly to the Internet

Azure Active Directory

App AppApp

Corp

ora

te

Netw

ork

DM

Z

Connector Connector

Application Proxy

Azure AD Token: UPN=joe@contoso.com

Kerberos Ticket: joe@contoso.com

Use your own domain nameWhy?

1. Domain name recognized by your users

2. Replace existing solutions / well known URLs

3. Have same internal and external URLs• Notifications and e-mail links just work• Some applications won’t work otherwise

How?

4. Upload a certificate with private key that covers the custom domain name (regular, wildcard or SAN)

5. Create a CNAME record in the external DNS to point to the msappproxy.net address

Azure Active Directory

App

Corp

ora

te

Netw

ork

Connector Connector

Application Proxy

sales-contoso.msappproxy.net

sales.contoso.com

sales.contoso.com

External DNS

Internal DNS

Optional steps (part 2):

- Login UI branding

- Custom domains

- SSO to backend using IWA/KCD

Demo

What is nextEnable different login name (UPN) for on-prem and cloudUtilizing Alternate Login ID the same way it is implemented in AD FS

Assign connectors for appsDifferent sets of connectors serves different applications. Network optimization for multi-geo and isolated

networks

Additional SSO methods for more applications

More control, management and health monitoring of connectors

Improved portal experience – customizing icons and more…

Learn more on Application Proxy

Application Proxy MSDN documentation:http://aka.ms/ProxyDoc

Application Proxy blog:http://aka.ms/proxy

Contact us: AADAPFeedback@microsoft.com

Related ContentBRK3863: Identity and Access Management Everywhere

Wednesday 10:45pm room E271

BRK3851: Real Customer Stories for Azure Premium

Wednesday 3:15pm room S501

BRK3862: Extending On-Premises Directories to the Cloud Made Easy with Azure AD ConnectBRK3865: How Microsoft Azure AD Helps Prevent, Detect and Remediate Attacks to Your EnterpriseBRK3867: Microsoft Identity Platform for Developers: Overview and RoadmapBRK3854: How Microsoft IT Manages Identity in a Hybrid Cloud WorldBRK3332: Microsoft Azure Active Directory and Windows 10: Better Together for Work or SchoolBRK4850: Developing Web and Cross Platform Mobile Apps with Azure Active DirectoryBRK3873: Protecting Windows and Microsoft Azure AD with Privileged Access ManagementBRK3857: Upgrading from FIM to Microsoft Identity Manager and Azure Active Directory

Ignite Azure Challenge Sweepstakes

Attend Azure sessions and activities, track your progress online, win raffle tickets for great prizes!

Aka.ms/MyAzureChallenge

Enter this session code online: BRK3864

NO PURCHASE NECESSARY. Open only to event attendees. Winners must be present to win. Game ends May 9th, 2015. For Official Rules, see The Cloud and Enterprise Lounge or myignite.com/challenge

Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.

Please evaluate this sessionYour feedback is important to us!

© 2015 Microsoft Corporation. All rights reserved.

Drill down:1. Basic Connectivity

Contoso corpnetDMZ

Contoso corpnetDMZ

SettingsUpdates

Contoso corpnetDMZ

http://webapp1/

Contoso corpnetDMZ

http://webapp1/

https://app1-contoso.msappproxy.net/

Contoso corpnetDMZ

http://webapp1/

https://app1-contoso.msappproxy.net/

Contoso corpnetDMZ

http://webapp1/

https://app1-contoso.msappproxy.net/

Drill down:2. Preauthentication

http://app1-contoso.msappproxy.net/

Contoso corpnetDMZ

http://app1-contoso.msappproxy.net/

Token: UPN=joe@contoso.com

Contoso corpnetDMZ

Token: UPN=joe@contoso.com

Contoso corpnetDMZ

http://app1-contoso.msappproxy.net/

Drill down:3. Single Sign On

Token: UPN=joe@contoso.com

Contoso corpnetDMZ

Token: UPN=joe@contoso.com

Kerberos Ticket: joe@contoso.com

Kerberos Ticket: joe@contoso.com

Works better with Office365Seamless single-sign-on from all Office 365 apps

Add on-prem apps Office365 App Launcher.

Same identity and security infrastructure for your on-prem apps and Office365