Azure AD Application Proxy now supports the Remote Desktop Services web client

Published Jul 29 2020 09:00 AM 46.3K Views

Howdy folks!


Today we’re announcing the public preview of Azure AD Application Proxy (App Proxy) support for the Remote Desktop Services (RDS) web client. Many of you are already using App Proxy for applications hosted on RDS and we’ve seen a lot of requests for extending support to the RDS web client as well.


With this preview, you can now use the RDS web client even when App Proxy provides secure remote access to RDS. The web client works on any HTML5-capable browser such as Microsoft Edge, Internet Explorer 11, Google Chrome, Safari, or Mozilla Firefox (v55.0 and later). You can push full desktops or remote apps to the Remote Desktop web client. The remote apps are hosted on the virtualized machine but appear as if they’re running on the user's desktop like local applications. The apps also have their own taskbar entry and can be resized and moved across monitors.


Launch rich client apps with a full desktop like experienceLaunch rich client apps with a full desktop like experience


Why use App Proxy with RDS?

RDS allows you to extend virtual desktops and applications to any device while helping keep critical intellectual property secure. By using this virtualization platform, you can deploy all types of applications such as Windows apps and other rich client apps as-is with no re-writing required. By using App Proxy with RDS you can reduce the attack surface of your RDS deployment by enforcing pre-authentication and Conditional Access policies like requiring Multi-Factor Authentication (MFA) or using a compliant device before users can access RDS. App Proxy also doesn't require you to open inbound connections through your firewall.


Getting started

To use the RDS web client with App Proxy, first make sure to update your App Proxy connectors to the latest version, 1.5.1975.0. If you haven’t already, you will need to configure RDS to work with App Proxy. In this configuration, App Proxy will handle the internet facing component of your RDS deployment and protect all traffic with pre-authentication and any Conditional Access policies in place. For steps on how to do this, see Publish Remote Desktop with Azure AD Application Proxy.


How Azure AD App Proxy works in an RDS deploymentHow Azure AD App Proxy works in an RDS deployment


Configure the Remote Desktop web client

Next, complete setup by enabling the Remote Desktop web client for user access. See details on how to do this at Set up the Remote Desktop web client for your users. Now your users can use the external URL to access the client from their browser, or they can launch the app from the My Apps portal.


As always, we’d love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the Azure AD feedback forum.


Best regards,

Alex Simons (@alex_a_simons)

Corporate Vice President Program Management

Microsoft Identity Division


Learn more about Microsoft identity:

Regular Visitor

My team have been trying for ages to get something like this running smoothly.

We have a requirement to add MFA/conditional access to our Remote Desktop setup. 


Installing the HTML5 WebClient was our "go to" solution when lockdown hit and we needed to enable working from home for a large number of users but, without MFA support its not viable in its current setup to stay in place longterm.


If installed correctly using AppProxy (and using the MyApps portal) would this solution successfully pass the username/password credentials to the RDP gateway/session hosts so that the end user only ever has to enter his credentials once ?  Every attempt we have tried so far with App Proxy seems to force the user to enter user/password two or more times.







@AndyBH couldn't agree more. In our testing with App Proxy and RDS apps, users had to enter their credentials at least 3 times before they got to their app making it, in its current situation, something we cannot sell to our employee base (and rightly so).

I'm not saying it's something that's easy for MS to fix but would be nice if we know if they were actively working on it or not :)


Regular Visitor

@Steve Hernou  - Good to know that others have the exact same experience. I agree that no "standard user" would be able to accept that which is why we also have not been able to roll it out. The closest other option we've found is by integrating an NPS server which will trigger the login authorization request on the Authenticator App if you have it but there is nothing on the PC screen to suggest its doing that. If your chosen auth method is an SMS or phone call then although the code is delivered to the user they have no method to enter it to gain access to RDP.


@Alex Simons (AZURE) You may want to update this page as it still states RDS web client is not supported with AppProxy. Matt Lucas_1-1596135501105.png



Regular Visitor

I've just noticed that in your diagram, ALL components are hosted in Azure. While this may possible longterm, for many of us (including me!) while using Azure AD and some hosted office apps is possible, all of our RDS environment remains on our local LAN. So far, any attempts to introduce Conditional Access have required multiple entries of user/password or linking to an NPS server which provided no user feedback. Can you confirm that with this new support we should be able to publish our on prem RDS farm through the My Apps Portal requiring no further user/password entry ?

The RDS docs should be updated shortly to reflect the changes. As for the questions around login prompts, it is expected and similar to the existing functionality. If the user’s computer is Azure AD joined, the user signs in to Azure AD automatically. The user will still need to provide their credentials on the RDWeb sign-in form. We're still investigating options for how to simplify this. Thank you for the feedback! Feel free to reach out to us at if you have any other questions or feedback.

Occasional Contributor

We've been trying to get this working since private preview but unfortunately have not had success once we put azure in the picture.  The html5/rd side of things works great directly, but via the proxy the initial website loads and asks for creds, but when we enter them it immediately says "sign in failed. please check your user name and password and try again."  The creds are the same as the ones that just worked to get through the msonline logon of course.  This happens in multiple orgs/tenants we've tested with.  It doesn't even appear to be checking the creds - it's so immediate.  Can't find any logs or anything anywhere to see where the breakdown is...

Senior Member

How about support for remote desktop client through the gateway?  Many users will configure their home computer Windows RDP client to use our terminal server gateway as their entry point so that they can have a more streamlined experience to access their desktop in the office.  Will that still work?

Occasional Visitor

I followed the document but I didn't make it work. So I have to publish two On-Premises application and with that, it works. I had to published two on-premises application on the Application Proxy:

- One pointing to my with Azure Authentication option.
- The second, pointing to my with Passthrough Authentication option.


Now with that configuration, I have the RDWeb portal and the Webclient working without problem. But it is not in the documentation.

I would like now to have SSO in the webclient site. I had enabled MFA, so when the user goes to it will get a prompt from asking for the user credentials and MFA auth, it works perfectly. But after the user put their credentials and their MFA auth, it prompts again for credentials in the webclient site. I was wondering if there is any solution to enable SSO? Thank you so much for your effort.


Occasional Visitor

Maybe you checkbox the Pre-Auth for both...that is the one that got me. it can pass through it's self for a pre-auth proxy


I also needed to do the ssl cert bind to the 3392 and then tie that in through the Gateway manager.

Occasional Visitor

@Wes Lazara  

To get this working for HTML5 client, when creating the Azure Application Proxy, set the internal URL to be (without the /webclient on the end). 

Then if you go to it will authenticate ok.


I have one question that I cant seem to find a clear answer for. If you use AAP in Pre-Auth mode for this does it impact the functionality of the gateway and the Remote Desktop Store Apps? In testing I cant seem to attach to the web feed using the Store Apps (even though I can download the feed in a browser) nor can I use the Gateway as a normal Gateway. The only information that gives a clue is a blurb in the docs:

  • For the Azure AD pre-authentication flow, users can only connect to resources published to them in the RemoteApp and Desktops pane. Users can't connect to a desktop using the Connect to a remote PC pane.

But this sounds like its talking about the classic RDWeb site since it mentions the "Connect to a remote PC pane" which to my knowledge is not included in the webclient. Once enabled I can only seem to connect via the HTML5 Web Client, is this expected? If so, is pre-auth expected to be supported in the Store Apps at any point? Thanks!

Occasional Visitor

Publish the RD host endpoint

  1. Publish a new Application Proxy application with the following values:

    • Internal URL: https://\<rdhost\>.com/, where \<rdhost\> is the common root that RD Web and RD Gateway share

This ^^. Internal URL has to point to root of your RDWeb/RDGateway box. Some of the advice in comments is incorrect. 

Once you get the basics right there is no need for pass-thru auth or other questionable solutions.

Regular Contributor

I can get HTML5 working internally


I can access RDWeb with Internet Explorer using ""

However I can't connect via HTML5. "Your computer can't connect to the remote computer because authentication to the firewall failed".


I'm guessing it's a cert issue but HTML5 internally works ok if gateway is etc.


Nevermind, got it sorted. Very handy. Is there anyway to disable users getting a choice to download the RDP file? The Powershell command doesn't seem to work?

Occasional Visitor

@David Gorman 

how did you manage to get rid of the "Your computer can't connect to the remote computer because authentication to the firewall failed" error?


I have the same problem - and suspect certificates?



Regular Contributor

@ChrisT82 , yes it was definitely the certs. I thought they were correct but when applying them they were showing as "not configured" and Ok. I thought it should have given an error.


The certs were from my AD Certificate Enrollment process and the certs had a template of Server and Client authentication.

Senior Member

Double post.

Senior Member

Is the HTML5 Web Client supported with AAD Application Proxy in passthrough mode?


I currently have 2 proxy applications

Normal RDWeb works fine from both internal and external, however, HTML5 Web Client only works from internal.

If I choose in the HTML5 Web Client to download RDP files rather than launching them, it also works from external, but I can't launch apps directly in the browser from external.


The error comes right after the "Opening Ports" status and says unable to connect. Web client logs shows 3 errors.

  • Exception: Possibly unhandled rejection: backdrop click Cause: undefined
  • WebSocketTransport(ERR): WebSocket error received for url=wss:// websockettransport.cpp(304): OnErrorFromJS()
  • Connection(ERR): The connection generated an internal exception with disconnect code=ConnectionBroken(8), extended code=<null>, reason=WebSocket closed with code: 1006 reason:
    Thrown in thread 399652 at:
    Call Stack:
    at imb
    at fmb
    at Tp
    at Djd

    connection.cpp(1335): OnException()


Can anyone confirm if it is supposed to be working with passthrough or if Preauthentication on the AAD Proxy Application for the RDWeb is required?

New Contributor

@ManIT1980 did you figure out the problem, please? I have the same issue :\

thx in advance!

Occasional Visitor

@ManIT1980 / @Jurme 


Did you guys figure this out? IE works great. RDWeb Client is failing with Chrome/Firefox

Occasional Contributor

@ManIT1980 / @Jurme - Bump!


Did you ever find a solution to this? I have the same issue. 

Frequent Visitor

@ManIT1980 / @Alex Simons (AZURE) 

I have the exact same problem. Is there any progress?

Many thanks.


Version history
Last update:
‎Jul 28 2020 10:36 AM
Updated by: