Home
%3CLINGO-SUB%20id%3D%22lingo-sub-401154%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20for%20more%20apps%20with%20Azure%20AD%20Application%20Proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401154%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Alex%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20information.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20application%20proxy%20be%20used%20to%20impersonate%20AZURE%20AD%20user%20to%20Windows%20User%20%3F%3C%2FP%3E%3CP%3EExample%3A%20User%20logs%20into%20app%20service%20hosted%20in%20AZURE%20using%20AZURE%20AD%20authentication%20credentials%20.%20User%20then%20try%20to%20access%20an%20SSRS%20report%20hosted%20in%20AZURE%20VM.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3Eis%20sso%20and%20impersonation%20possible%3F%20do%20we%20need%20to%20install%20appservice%20connector%20on%20VM%20in%20azure%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20appreciate%20your%20response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%26nbsp%3B%3C%2FP%3E%3CP%3Eregards%3C%2FP%3E%3CP%3EKalyan%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-376355%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20for%20more%20apps%20with%20Azure%20AD%20Application%20Proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-376355%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Cyphel%2C%3C%2FP%3E%0A%3CP%3EThe%20persistent%20cookie%20flag%20only%20ensures%20that%20the%20session%20cookies%20don't%20expire%20when%20the%20browser%20session%20is%20closed.%20If%20you%20are%20looking%20for%20more%20information%20around%20RDS%20scenarios%20see%20our%20documentation%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fapplication-proxy-integrate-with-remote-desktop-services%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-372468%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20for%20more%20apps%20with%20Azure%20AD%20Application%20Proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-372468%22%20slang%3D%22en-US%22%3E%3CP%3EWill%20the%20persistent%20cookie%20allow%20for%20rdcb%20to%20be%20proxied%20via%20app%20proxy%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-407937%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20for%20more%20apps%20with%20Azure%20AD%20Application%20Proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-407937%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kalyan%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20enable%20single%20sign-on%20to%20your%20applications%20using%20Integrated%20Windows%20Authentication%20(IWA)%20by%20giving%20Application%20Proxy%20connectors%20permission%20in%20Active%20Directory%20to%20impersonate%20users.%20Kerberos%20constrained%20delegation%20is%20used%20so%20that%20the%20connectors%20have%20the%20permission%20to%20send%20and%20receive%20tokens%20on%20their%20behalf.%20You%20can%20find%20out%20more%20details%20in%20our%20documentation%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fapplication-proxy-configure-single-sign-on-with-kcd%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks!%3C%2FP%3E%0A%3CP%3EJasmine%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-428839%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20for%20more%20apps%20with%20Azure%20AD%20Application%20Proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-428839%22%20slang%3D%22en-US%22%3E%3CP%3EI%20deleted%20the%20application%20that%20was%20generated%20as%20part%20of%20the%26nbsp%3B%3CSPAN%3EAdd%20your%20own%20on-premises%20application(app%20proxy).%20The%20proxy%20url%20is%20still%20functional.%20How%20do%20I%20delete%20it%20completely.%20I%20see%20links%20topowershell%20command%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fazuread%2Fremove-azureadapplicationproxyapplication%3Fview%3Dazureadps-2.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fazuread%2Fremove-azureadapplicationproxyapplication%3Fview%3Dazureadps-2.0%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAs%20the%20app%20is%20deleted%20I%20no%20longer%20have%20the%20objectid%20or%20applicationid.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-455929%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20for%20more%20apps%20with%20Azure%20AD%20Application%20Proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-455929%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318586%22%20target%3D%22_blank%22%3E%40hodachalliv%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20would%20be%20happy%20to%20help%20you%20here.%20We%20just%20need%20a%20little%20more%20information.%20Can%20email%20us%20at%20aadapfeedback%40microsoft.com%20what%20the%20proxy%20URL%20is%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EJasmine%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-362909%22%20slang%3D%22en-US%22%3ESupport%20for%20more%20apps%20with%20Azure%20AD%20Application%20Proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-362909%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EToday%2C%20I%20have%20the%20privilege%20to%20tell%20you%20about%20the%20public%20preview%20of%20two%20new%20features%20for%20Azure%20AD%20Application%20Proxy%20that%20make%20it%20even%20easier%20to%20provide%20secure%20remote%20access%20to%20on-premises%20applications%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESupport%20for%20SAML%20single%20sign-on%20(SSO)%3C%2FLI%3E%0A%3CLI%3ESupport%20for%20finer%20grained%20management%20of%20application%20cookies%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F86099i9D60F95C466090C2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Support%20for%20more%20apps%20with%20Azure%20AD%20Application%20Proxy%201.png%22%20title%3D%22Support%20for%20more%20apps%20with%20Azure%20AD%20Application%20Proxy%201.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1702019323%22%20id%3D%22toc-hId-1702019323%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--850137638%22%20id%3D%22toc-hId--850137638%22%3ESAML%20SSO%20support%3C%2FH2%3E%0A%3CP%3EThe%20public%20preview%20for%20SAML%20SSO%20support%20with%20Application%20Proxy%20is%20now%20available.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhether%20you%20already%20have%20an%20on-premises%20SAML%20application%20that's%20ready%20to%20publish%20or%20are%20looking%20to%20modernize%20your%20application%E2%80%99s%20authentication%20protocol%2C%20you%20now%20have%20an%20easy%20way%20to%20provide%20external%20access%20and%20SSO%20to%20your%20application.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESetting%20up%20SAML%20SSO%20with%20your%20on-premises%20application%20uses%20the%20same%20standard%20pattern%20as%20setting%20up%20SAML%20SSO%20for%20your%20cloud%20applications.%20The%20application%20must%20be%20using%20SAML%20authentication%20with%20Azure%20AD%20as%20the%20identity%20provider.%20You%20can%20also%20use%20this%20with%20the%20recently%20released%20preview%20for%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fhowto-saml-token-encryption%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESAML%20token%20encryption%3C%2FA%3E.%20To%20learn%20more%20about%20configuring%20SAML%20SSO%20with%20Application%20Proxy%20see%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fapplication-proxy-configure-single-sign-on-on-premises-apps%2520%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F86100i94ED37FAC970E171%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Support%20for%20more%20apps%20with%20Azure%20AD%20Application%20Proxy%202.png%22%20title%3D%22Support%20for%20more%20apps%20with%20Azure%20AD%20Application%20Proxy%202.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-892672697%22%20id%3D%22toc-hId-892672697%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--1659484264%22%20id%3D%22toc-hId--1659484264%22%3EApplication%20cookie%20settings%3C%2FH2%3E%0A%3CP%3ETo%20help%20meet%20your%20security%20and%20compliance%20requirements%2C%20the%20following%20settings%20for%20Application%20Proxy%20access%20and%20session%20cookies%20are%20now%20available%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EUse%20HTTP-Only%20Cookie%3C%2FSTRONG%3E%E2%80%94Protects%20cookies%20against%20actions%20like%20copying%20or%20modifying%20the%20cookies%20from%20client-side%20scripting.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EUse%20Secure%20Cookie%3C%2FSTRONG%3E%E2%80%94Ensures%20cookies%20are%20only%20transmitted%20over%20TLS%20secure%20channels%20to%20prevent%20cookies%20from%20being%20observed%20by%20unauthorized%20parties.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EUse%20Persistent%20Cookie%3C%2FSTRONG%3E%E2%80%94Sets%20the%20access%20cookie%20to%20not%20expire%20when%20the%20web%20browser%20is%20closed%20and%20persists%20for%20the%20lifetime%20of%20the%20access%20token.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EFor%20full%20details%20and%20recommendations%20about%20these%20cookie%20settings%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fapplication-proxy-configure-cookie-settings%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECookie%20settings%20for%20accessing%20on-premises%20applications%20in%20Azure%20AD%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20607px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F86101i3DF45370E535101C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Support%20for%20more%20apps%20with%20Azure%20AD%20Application%20Proxy%203.png%22%20title%3D%22Support%20for%20more%20apps%20with%20Azure%20AD%20Application%20Proxy%203.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20always%2C%20we'd%20love%20to%20receive%20any%20suggestions%20or%20feedback%20you%20have%2C%20so%20please%20comment%20below%20or%20on%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Faadapuservoice%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20feedback%20forum%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20Regards%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlex%20Simons%20(%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FAlex_A_Simons%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40Alex_A_Simons%3C%2FA%3E)%3C%2FP%3E%0A%3CP%3ECorporate%20VP%20of%20Program%20Management%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-362909%22%20slang%3D%22en-US%22%3E%3CP%3EToday%2C%20I%20have%20the%20privilege%20to%20tell%20you%20about%20the%20public%20preview%20of%20two%20new%20features%20for%20Azure%20AD%20Application%20Proxy%E2%80%94support%20for%20SAML%20SSO%20and%20support%20for%20finer%20grained%20management%20of%20application%20cookies%E2%80%94which%20make%20it%20even%20easier%20to%20provide%20secure%20remote%20access%20to%20on-premises%20applications.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-362909%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EProduct%20Announcements%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E

Howdy folks,

 

Today, I have the privilege to tell you about the public preview of two new features for Azure AD Application Proxy that make it even easier to provide secure remote access to on-premises applications:

  • Support for SAML single sign-on (SSO)
  • Support for finer grained management of application cookies

Support for more apps with Azure AD Application Proxy 1.png

 

SAML SSO support

The public preview for SAML SSO support with Application Proxy is now available.

 

Whether you already have an on-premises SAML application that's ready to publish or are looking to modernize your application’s authentication protocol, you now have an easy way to provide external access and SSO to your application.

 

Setting up SAML SSO with your on-premises application uses the same standard pattern as setting up SAML SSO for your cloud applications. The application must be using SAML authentication with Azure AD as the identity provider. You can also use this with the recently released preview for SAML token encryption. To learn more about configuring SAML SSO with Application Proxy see our documentation.

 

Support for more apps with Azure AD Application Proxy 2.png

 

Application cookie settings

To help meet your security and compliance requirements, the following settings for Application Proxy access and session cookies are now available:

 

  • Use HTTP-Only Cookie—Protects cookies against actions like copying or modifying the cookies from client-side scripting.
  • Use Secure Cookie—Ensures cookies are only transmitted over TLS secure channels to prevent cookies from being observed by unauthorized parties.
  • Use Persistent Cookie—Sets the access cookie to not expire when the web browser is closed and persists for the lifetime of the access token.

For full details and recommendations about these cookie settings, see Cookie settings for accessing on-premises applications in Azure AD.

 

Support for more apps with Azure AD Application Proxy 3.png

 

As always, we'd love to receive any suggestions or feedback you have, so please comment below or on the Azure AD feedback forum.

 

Best Regards, 

 

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

6 Comments
Occasional Visitor

Will the persistent cookie allow for rdcb to be proxied via app proxy?

Microsoft

Hi Cyphel,

The persistent cookie flag only ensures that the session cookies don't expire when the browser session is closed. If you are looking for more information around RDS scenarios see our documentation here.

Occasional Visitor

Hi Alex,

 

Thanks for the information. 

 

Can application proxy be used to impersonate AZURE AD user to Windows User ?

Example: User logs into app service hosted in AZURE using AZURE AD authentication credentials . User then try to access an SSRS report hosted in AZURE VM.  

is sso and impersonation possible? do we need to install appservice connector on VM in azure?

 

i appreciate your response.

 

thanks 

regards

Kalyan

 

Microsoft

Hi Kalyan,

 

You can enable single sign-on to your applications using Integrated Windows Authentication (IWA) by giving Application Proxy connectors permission in Active Directory to impersonate users. Kerberos constrained delegation is used so that the connectors have the permission to send and receive tokens on their behalf. You can find out more details in our documentation here.

 

Thanks!

Jasmine

Regular Visitor

I deleted the application that was generated as part of the Add your own on-premises application(app proxy). The proxy url is still functional. How do I delete it completely. I see links topowershell command https://docs.microsoft.com/en-us/powershell/module/azuread/remove-azureadapplicationproxyapplication...

As the app is deleted I no longer have the objectid or applicationid.

Microsoft

Hi @hodachalliv,

 

We would be happy to help you here. We just need a little more information. Can email us at aadapfeedback@microsoft.com what the proxy URL is?

 

Thanks,

Jasmine