Our experience with Azure AD Application Proxy

Author name

Azure AD Applicaiton Proxy

Introduction

We recently received a request to demonstrate how internal web-based applications can be accessed from the Internet using Azure AD Application Proxy. This post details our journey and the outcomes of our testing.

What is Azure AD Application Proxy?

Azure AD Application Proxy is a feature of Azure Active Directory that allows remote access to applications. It functions as a reverse proxy, creating a bridge between users outside an organization's network and on-premises applications. This service offers a significant advantage over traditional solutions due to its seamless integration with Azure Active Directory, which allows for enhanced security measures like Conditional Access and Multi-Factor Authentication. Rather than exposing the internal network to the outside world, Azure AD Application Proxy allows applications to connect to the cloud, facilitating secure user access. This revolutionary feature supports web-based applications and even allows access to remote desktops and other network resources.

Setup Procedure

For our testing environment, we used Azure. We also set up an Azure AD environment to configure the enterprise application and Application Proxy Connector.

We followed the steps mentioned in the URL below to set up a Windows 2019 server and post the target application.

https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-add-on-premises-application

1. Created a Windows 2019 server in Azure.

2. Downloaded the App Proxy Connector from Azure AD Application proxy.

3. Installed the App Proxy Connector on the Windows 2019 server.

4. Waited for the connector to establish a connection to Azure AD.

5. Setup Ubuntu VM with Nginx for application testing.

6. Setup Enterprise Applications and add the testing user in the Enterprise Applications.

7. Configured "linked sign-on" to simplify the testing due to the absence of SSO integration.

Testing result

The testing user was able to navigate to https://myapps.microsoft.com, authenticate using MFA, and access the testing app.

Caveats

Initially, we wanted to test this feature in the China 21Vianet region. However, we learned that Azure AD Application Proxy is currently not available in this region.

Conclusion

In summary, Azure AD Application Proxy proved to be a robust solution to our customer's requirement. It provided us with a secure method to enable remote access to a web-based intranet application while also facilitating MFA. Despite its limitations, such as non-availability in China, Azure AD Application Proxy shows promise for organizations striving to balance user access convenience with stringent security protocols. This experience underscores the importance of exploring and utilizing advanced features like Azure AD Application Proxy in similar scenarios. We welcome any discussions, queries, or sharing of personal experiences related to this topic.

References

"What is Azure AD Application Proxy?" https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-proxy
Azure AD Application Proxy setup procedure: https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-add-on-premises-application

< Older Post Newer Post >

Illustrating Dynamic Content Marking in Microsoft Information Protection (MIP)

October 19, 2023

At Amazing Dino Consulting, we recognize the importance of data classification and protection. With the influx of data coming in and out of organizations daily, safeguarding your sensitive information is more crucial than ever. Leveraging Microsoft Information Protection (MIP) provides an efficient way to classify and protect sensitive data based on its content. In this blog post, we'll explore dynamic content marking, a feature that can automate and tailor protection measures for your documents. What is Dynamic Content Marking? Dynamic content marking in MIP allows organizations to automatically append specific labels, headers, footers, or watermarks to documents based on predefined variables. This provides a layer of information about the document, enhancing data governance and compliance. How Does It Work? When you configure a sensitivity label for content markings in MIP, you can use variables in the text string for your header, footer, or watermark. The supported variables include: ${Item.Label} : Label display name of the label applied. Example: General ${Item.Name} : File name or email subject of the content being labeled. Example: Sales.docx ${Item.Location} : Path and file name of the document or the email subject for an email being labeled. Example: \Sales\2023\Q3\Report.docx ${User.Name} : Display name of the user applying the label. Example: Richard Simone ${User.PrincipalName} : Azure AD user principal name (UPN) of the user applying the label. Example: t est@amazingdino.testing ${Event.DateTime} : Date and time when the content is labeled, either in the local time zone of the user in Microsoft 365 apps or UTC for Office Online and auto-labeling policies. Example: 8/10/2023 1:30 PM Note: The syntax for these variables is case-sensitive. Demonstration First, go to compliance.microsoft.com->Information Protection->Labels and click "create a label". Then, enter the name and associate information.

email security, why third party email security is required, Avanna, Office 365

Basic of Email Security

By looka_production_101445564 • January 27, 2023

In this blog post, we discuss the basics of email security, the security features provided by Office 365, why third-party email security is still required. We state that while Office 365 provides a number of built-in security features, it is important to note that third-party email security is still required. We concludes the blog post and welcome anyone who is interested in learning more about the services to contact us.

More on SASE solution selection

By looka_production_101445564 • January 15, 2023

There are multiple considerations on selecting SASE solution. Here are soem of my personal view. Point of Presence SASE points of presence (POPs) are typically deployed in public clouds or data centres and are managed by vendors. However, some solution may allow you to add the gateway software and become customer’s POP to meet your need. Each vendor has its own performance limitations for their POPs, including throughput (some vendors only support sub-1Gbps), the number of concurrent sessions, and their auto-scale policy (which may need to be inquired about). Available bandwidth from the POP is key area you need to consider. Beware on the latency between your CPE or client and security POP. For example, your CPE in Vietnam may end up connect to SASE POP in SG which may add up to 40-60ms. Security feature I would say the following are MUST have features TLS/SSL Decryption for detecting callback traffic and the certificate must be installed automatically by the VPN client DNS security - detecting DNS tunnel traffic as some exfiltration traffic are tunneled inside DNS traffic AI-driven and up-to-date URL categorization and filtering capable of zero-day Malware detection For SaaS, it depends on whether you have any existing solution in place, those are the key one you need to look at. SaaS security - please note that not every vendor may support the SaaS that you are using DLP Logging, monitoring and Reporting The following are mandatory features I will look into myself SIEM integration end to end network performance analysis - from end user to the application Be able to search log in the management portal Be able to generate executive summary report with some level of customization Last but not least, you should do proof-of-concept testing to validate your use case when you select right SASE solution. I do see many successful implementation are required well-defined use case and proof-of-concept testing to pick the right solution. Contact us if you need help from selecting right SASE solution for you.