What is Application Proxy?
Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client. Application Proxy includes both the Application Proxy service which runs in the cloud, and the Application Proxy connector which runs on an on-premises server. Azure AD, the Application Proxy service, and the Application Proxy connector work together to securely pass the user sign-on token from Azure AD to the web application.
Before you begin
To add an on-premises application to Azure AD, you need:
- A Microsoft Azure AD basic or premium subscription
- An application administrator account
- User identities must be synchronized from an on-premises directory or created directly within your Azure AD tenants. Identity synchronization allows Azure AD to pre-authenticate users before granting them access to App Proxy published applications and to have the necessary user identifier information to perform single sign-on (SSO).
Lets start by create new application proxy
First we need to give our application a name and also provide our internal Portnox Url.
When you finish click on the ADD button. it will take couple of min to create your app.
To find your newly created app, just go to Azure Active Directory -> all applications -> and type your application name ( for our example is Portnox)
When you find it please click on it to see and edit her properties.
In the Application Properties section navigate to the Users and Group and lets assign permission to who can access this application. you can add user or even a group of users. (For this example i give only to me permission)
Now lets test our work, Click on the application Proxy and than click on the Test Application button.
When you click on the Test Application it will open you your new external Portnox URL.
But we not done. we need to secure this external URL with MFA.
Lets navigate to Conditional Access and create New Policy.
In this policy lets give it name and lets assign a user or group or even all users. (for this example my user)
After you assign user to our policy, go down to the cloud apps or actions section and choose our app (Portnox)
Now we go down to Conditions and select Locations and we choose in the include “Any Location” and in the exclude our internal public IP ( so that in our company we will not need to use MFA when we enter to the Portnox URL)
When we finish to set up the location we need to setup the Access Controls to Grant access and check the Require Multi Factor authentication.
And in the end turn on the Enable Policy, and click on SAVE.
Lets copy the External URL of our new application. you can find it here.
Now to the big finish please open new incognito tab in your browser and past the external URL of your new Portnox Application.
You will see that you must enter your domain username and password and also MFA is enabled.