Configure Azure AD Application Proxy
Start course
1h 1m

This course has been designed to teach you how to manage access and authentication in Azure Active Directory. 

The topics covered within this course include:

  • Managing Authentication
  • Implementing Multi-Factor Authentication
  • Configuring Application Access
  • Implementing Access for External Users of Microsoft 365 Workloads

Learning Objectives

  • To learn how to configure and monitor authentication
  • To learn how to administer MFA and report on its utilization
  • To learn how to configure application registration and use Azure AD Application Proxy
  • To learn how to use Azure Active Directory B2B to add and manage external users

Intended Audience

  • Those looking to learn more about access and authentication


To get the most from this course, you should at least be familiar with Azure AD and have a general understanding of its features.


Azure Active Directory offers an application proxy service that allows users to access on-prem apps by signing in with their Azure AD account. In this demonstration, we're going to prepare an on-prem environment for use with Application Proxy. Once our on-prem environment is ready, we'll use the Azure portal to add an on-prem IIS application to our Azure AD tenant. What we're going to do, more specifically is install the proxy connector on a Windows Server in our local Active Directory and then register it with the application proxy. We'll verify that the connector installed and registered correctly, and then we'll add our on-prem IIS application to the Azure AD tenant. Once we've done all this, we'll verify that a test user can sign onto the application by using an Azure AD account. To use Application Proxy, we need a Windows Server running at least Windows Server 2012 R2. This server will run the proxy connector. For our demonstration here, we're using a Windows Server 2016 server called PR01 to run the proxy connector. The PR01 server will connect to the Application Proxy services in Azure. And also to the on-prem IIS web application on the web01 server. The IIS web app, on web01 is what we're going to publish in this demonstration. To use Application Proxy, we need to install a connector on the PR01 server. Which we'll use with the Application Proxy service. The proxy connector is an agent that manages the outbound connection from the on-prem application servers to Application Proxy in Azure AD. To install the connector, let's sign into the Azure portal here from our PR01 server as an Application admin or a Global admin for our Active Directory in Azure. I'm using a Global admin account, so we'll go with that. In the blade, we need to browse to Azure Active Directory and then to Application proxy. What we're going to do now is download the connector service. As usual, we need to accept the terms and then we can download the connector. At the bottom of the window, we're prompted to download the installer. We can just click Run to launch the wizard right from here. To install the connector, we just need to follow the instructions presented. When we're prompted to register the connector with the Application Proxy, we need to provide our Application administrator credentials or Global admin credentials. If you run into problems on this step and you're using IE, try turning off the Enhanced Security Configuration for IE. If you leave it on, you may not see the registration screen. Once we've completed the wizard, we need to verify the connector installed and registered correctly. We can use the Azure portal to confirm that the new connector installed. To do so, let's click Azure Active Directory and then Application proxy. We should see our new connector and connector group listed here. Clicking on our connector lets us verify its details. If everything is green and it shows running, we're good to go. Now that we've prepared our environment by installing the proxy connector, we can add our on-prem IIS app to Azure AD. To do this, we just need to browse over to Azure Active Directory and then select Enterprise applications. From here we can add a new application. Since we're adding an on-prem IIS web app, we need to select second option. In the blade that opens, we need to provide some information about our application. We need to give our application a name and we need to specify the internal URL for it. So let me go ahead here and give our application a name and then the URL for it is pretty basic. We'll just add as the app URL. We'll let Azure build our external URL for us, the external URL is what users outside the local networks will use to access the app. We could change this if we wanted to, but there's no need so we'll leave it alone. Microsoft recommends leaving Pre Authentication set to Azure Active Directory when possible. So that we can take advantage of Azure AD security features like conditional access and MFA. So we'll leave this field at its default setting. We didn't create any special connector groups, so we can leave Connector Group set to default as well. Our basic IIS app doesn't require any configuration of additional settings, so we'll keep these settings at their default states as well. When we're done here, we just have to click Add to complete the process. With our application added to Azure AD, we can now test it. To add test user for our application lets browse over to Getting started blade. And select Assign a user for testing. On the User and groups blade, we'll add our user by clicking Add user in the toolbar. In the Add Assignment blade, we need to click Users and groups, and then choose an account to test with. I'll use my Johnny Hopkins account. And then click Assign. To test sign-on, lets open an InPrivate Browsing window and launch our application using the external URL from earlier. We are first prompted to sign in using the Azure AD pre-authentication that we configured earlier. And then we're prompted to sign in to our internal application. When we supply our Azure AD account, the, we are granted access to the application. This tells us that our app is working as it should through Application Proxy.


LECTURES: Course Introduction - What is Authentication - Designing an Authentication Method - Configuring Multi-Factor Authentication - Accessing MFA Service Settings - Enable SSPR - Sign-in Activity Reports in the Azure Active Directory Portal - Using Sign-in Activity Reports in the Azure Active Directory Portal - Azure Active Directory Monitoring - Implement MFA - Manage User Settings with Azure Multi-Factor Authentication in the Cloud - Manage MFA for Users - Reports in Azure Multi-Factor Authentication - Configure Application Registration in Azure AD - How to Configure Application Registration in Azure AD - What is Azure AD Application Proxy - Configure Azure AD Application Proxy - Azure Active Directory B2B - Add Guest Users to Your Directory in the Azure Portal - Conclusion

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.