%3CLINGO-SUB%20id%3D%22lingo-sub-1257367%22%20slang%3D%22en-US%22%3EAzure%20AD%20Application%20Proxy%20now%20supports%20the%20Remote%20Desktop%20Services%20web%20client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1257367%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EToday%20we%E2%80%99re%20announcing%20the%20public%20preview%20of%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fwhyappproxy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20Application%20Proxy%3C%2FA%3E%20(App%20Proxy)%20support%20for%20the%20Remote%20Desktop%20Services%20(RDS)%20web%20client.%20Many%20of%20you%20are%20already%20using%20App%20Proxy%20for%20applications%20hosted%20on%20RDS%20and%20we%E2%80%99ve%20seen%20a%20lot%20of%20requests%20for%20extending%20support%20to%20the%20RDS%20web%20client%20as%20well.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20this%20preview%2C%20you%20can%20now%20use%20the%20RDS%20web%20client%20even%20when%20App%20Proxy%20provides%20secure%20remote%20access%20to%20RDS.%20The%20web%20client%20works%20on%20any%20HTML5-capable%20browser%20such%20as%20Microsoft%20Edge%2C%20Internet%20Explorer%2011%2C%20Google%20Chrome%2C%20Safari%2C%20or%20Mozilla%20Firefox%20(v55.0%20and%20later).%20You%20can%20push%20full%20desktops%20or%20remote%20apps%20to%20the%20Remote%20Desktop%20web%20client.%20The%20remote%20apps%20are%20hosted%20on%20the%20virtualized%20machine%20but%20appear%20as%20if%20they%E2%80%99re%20running%20on%20the%20user's%20desktop%20like%20local%20applications.%20The%20apps%20also%20have%20their%20own%20taskbar%20entry%20and%20can%20be%20resized%20and%20moved%20across%20monitors.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AppProxy.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F208528i643D17E7C94729FC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22AppProxy.png%22%20alt%3D%22Launch%20rich%20client%20apps%20with%20a%20full%20desktop%20like%20experience%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ELaunch%20rich%20client%20apps%20with%20a%20full%20desktop%20like%20experience%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1297302383%22%20id%3D%22toc-hId--1297302383%22%20id%3D%22toc-hId--1297302383%22%20id%3D%22toc-hId--1297302383%22%20id%3D%22toc-hId--1297302383%22%20id%3D%22toc-hId--1297302383%22%20id%3D%22toc-hId--1297302383%22%20id%3D%22toc-hId--1297302383%22%3EWhy%20use%20App%20Proxy%20with%20RDS%3F%3C%2FH2%3E%0A%3CP%3ERDS%20allows%20you%20to%20extend%20virtual%20desktops%20and%20applications%20to%20any%20device%20while%20helping%20keep%20critical%20intellectual%20property%20secure.%20By%20using%20this%20virtualization%20platform%2C%20you%20can%20deploy%20all%20types%20of%20applications%20such%20as%20Windows%20apps%20and%20other%20rich%20client%20apps%20as-is%20with%20no%20re-writing%20required.%20By%20using%20App%20Proxy%20with%20RDS%20you%20can%20reduce%20the%20attack%20surface%20of%20your%20RDS%20deployment%20by%20enforcing%20pre-authentication%20and%20Conditional%20Access%20policies%20like%20requiring%20Multi-Factor%20Authentication%20(MFA)%20or%20using%20a%20compliant%20device%20before%20users%20can%20access%20RDS.%20App%20Proxy%20also%20doesn't%20require%20you%20to%20open%20inbound%20connections%20through%20your%20firewall.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1190210450%22%20id%3D%22toc-hId-1190210450%22%20id%3D%22toc-hId-1190210450%22%20id%3D%22toc-hId-1190210450%22%20id%3D%22toc-hId-1190210450%22%20id%3D%22toc-hId-1190210450%22%20id%3D%22toc-hId-1190210450%22%20id%3D%22toc-hId-1190210450%22%3EGetting%20started%3C%2FH2%3E%0A%3CP%3ETo%20use%20the%20RDS%20web%20client%20with%20App%20Proxy%2C%20first%20make%20sure%20to%20update%20your%20App%20Proxy%20connectors%20to%20the%20latest%20version%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fmanage-apps%2Fapplication-proxy-release-version-history%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E1.5.1975.0%3C%2FA%3E.%20If%20you%20haven%E2%80%99t%20already%2C%20you%20will%20need%20to%20configure%20RDS%20to%20work%20with%20App%20Proxy.%20In%20this%20configuration%2C%20App%20Proxy%20will%20handle%20the%20internet%20facing%20component%20of%20your%20RDS%20deployment%20and%20protect%20all%20traffic%20with%20pre-authentication%20and%20any%20Conditional%20Access%20policies%20in%20place.%20For%20steps%20on%20how%20to%20do%20this%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fmanage-apps%2Fapplication-proxy-integrate-with-remote-desktop-services%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPublish%20Remote%20Desktop%20with%20Azure%20AD%20Application%20Proxy.%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AppProxy2.png%22%20style%3D%22width%3A%20470px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F208530iD8E56FA08631EF5F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22AppProxy2.png%22%20alt%3D%22How%20Azure%20AD%20App%20Proxy%20works%20in%20an%20RDS%20deployment%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EHow%20Azure%20AD%20App%20Proxy%20works%20in%20an%20RDS%20deployment%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--617244013%22%20id%3D%22toc-hId--617244013%22%20id%3D%22toc-hId--617244013%22%20id%3D%22toc-hId--617244013%22%20id%3D%22toc-hId--617244013%22%20id%3D%22toc-hId--617244013%22%20id%3D%22toc-hId--617244013%22%20id%3D%22toc-hId--617244013%22%3EConfigure%20the%20Remote%20Desktop%20web%20client%3C%2FH2%3E%0A%3CP%3ENext%2C%20complete%20setup%20by%20enabling%20the%20Remote%20Desktop%20web%20client%20for%20user%20access.%20See%20details%20on%20how%20to%20do%20this%20at%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows-server%2Fremote%2Fremote-desktop-services%2Fclients%2Fremote-desktop-web-client-admin%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESet%20up%20the%20Remote%20Desktop%20web%20client%20for%20your%20users%3C%2FA%3E.%20Now%20your%20users%20can%20use%20the%20external%20URL%20to%20access%20the%20client%20from%20their%20browser%2C%20or%20they%20can%20launch%20the%20app%20from%20the%20%3CA%20href%3D%22https%3A%2F%2Fmyapplications.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMy%20Apps%20portal%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20always%2C%20we%E2%80%99d%20love%20to%20hear%20any%20feedback%20or%20suggestions%20you%20may%20have.%20Please%20let%20us%20know%20what%20you%20think%20in%20the%20comments%20below%20or%20on%20the%E2%80%AF%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%3Fcategory_id%3D160608%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20feedback%20forum%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3EAlex%20Simons%20(-ERR%3AREF-NOT-FOUND-%40alex_a_simons)%3C%2FP%3E%0A%3CP%3ECorporate%20Vice%20President%20Program%20Management%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-73317461%22%20id%3D%22toc-hId-73317461%22%20id%3D%22toc-hId-73317461%22%20id%3D%22toc-hId-73317461%22%20id%3D%22toc-hId-73317461%22%20id%3D%22toc-hId-73317461%22%20id%3D%22toc-hId-73317461%22%20id%3D%22toc-hId-73317461%22%3E%3CEM%3ELearn%20more%20about%20Microsoft%20identity%3A%3C%2FEM%3E%3C%2FH3%3E%0A%3CUL%3E%0A%3CLI%3E%3CEM%3EReturn%20to%20the%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fbg-p%2FIdentity%22%20target%3D%22_blank%22%3E%3CEM%3EAzure%20Active%20Directory%20Identity%20blog%20home%3C%2FEM%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EJoin%20the%20conversation%20on%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Fazuread%2Fstatus%2F1278418103903363074%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CEM%3ETwitter%3C%2FEM%3E%3C%2FA%3E%3CEM%3E%20and%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CEM%3ELinkedIn%3C%2FEM%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EShare%20product%20suggestions%20on%20the%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CEM%3EAzure%20Feedback%20Forum%3C%2FEM%3E%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1257367%22%20slang%3D%22en-US%22%3E%3CP%3EMany%20of%20you%20are%20already%20using%20App%20Proxy%20for%20apps%20hosted%20on%20RDS%20and%20you%20can%20now%20enforce%20pre-authentication%20and%20Conditional%20Access%20policies%20to%20the%20RDS%20web%20client%20as%20well.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1257367%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EProduct%20Announcements%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1554625%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Application%20Proxy%20now%20supports%20the%20Remote%20Desktop%20Services%20web%20client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1554625%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20team%20have%20been%20trying%20for%20ages%20to%20get%20something%20like%20this%20running%20smoothly.%3C%2FP%3E%3CP%3EWe%20have%20a%20requirement%20to%20add%20MFA%2Fconditional%20access%20to%20our%20Remote%20Desktop%20setup.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInstalling%20the%20HTML5%20WebClient%20was%20our%20%22go%20to%22%20solution%20when%20lockdown%20hit%20and%20we%20needed%20to%20enable%20working%20from%20home%20for%20a%20large%20number%20of%20users%20but%2C%20without%20MFA%20support%20its%20not%20viable%20in%20its%20current%20setup%20to%20stay%20in%20place%20longterm.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20installed%20correctly%20using%20AppProxy%20(and%20using%20the%20MyApps%20portal)%20would%20this%20solution%20successfully%20pass%20the%20username%2Fpassword%20credentials%20to%20the%20RDP%20gateway%2Fsession%20hosts%20so%20that%20the%20end%20user%20only%20ever%20has%20to%20enter%20his%20credentials%20once%20%3F%26nbsp%3B%20Every%20attempt%20we%20have%20tried%20so%20far%20with%20App%20Proxy%20seems%20to%20force%20the%20user%20to%20enter%20user%2Fpassword%20two%20or%20more%20times.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAndy%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1555250%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Application%20Proxy%20now%20supports%20the%20Remote%20Desktop%20Services%20web%20client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1555250%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F582625%22%20target%3D%22_blank%22%3E%40AndyBH%3C%2FA%3E%26nbsp%3Bcouldn't%20agree%20more.%20In%20our%20testing%20with%20App%20Proxy%20and%20RDS%20apps%2C%20users%20had%20to%20enter%20their%20credentials%20at%20least%203%20times%20before%20they%20got%20to%20their%20app%20making%20it%2C%20in%20its%20current%20situation%2C%20something%20we%20cannot%20sell%20to%20our%20employee%20base%20(and%20rightly%20so).%3C%2FP%3E%3CP%3EI'm%20not%20saying%20it's%20something%20that's%20easy%20for%20MS%20to%20fix%20but%20would%20be%20nice%20if%20we%20know%20if%20they%20were%20actively%20working%20on%20it%20or%20not%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1555387%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Application%20Proxy%20now%20supports%20the%20Remote%20Desktop%20Services%20web%20client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1555387%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F31161%22%20target%3D%22_blank%22%3E%40Steve%20Hernou%3C%2FA%3E%26nbsp%3B%20-%20Good%20to%20know%20that%20others%20have%20the%20exact%20same%20experience.%20I%20agree%20that%20no%20%22standard%20user%22%20would%20be%20able%20to%20accept%20that%20which%20is%20why%20we%20also%20have%20not%20been%20able%20to%20roll%20it%20out.%20The%20closest%20other%20option%20we've%20found%20is%20by%20integrating%20an%20NPS%20server%20which%20will%20trigger%20the%20login%20authorization%20request%20on%20the%20Authenticator%20App%20if%20you%20have%20it%20but%20there%20is%20nothing%20on%20the%20PC%20screen%20to%20suggest%20its%20doing%20that.%20If%20your%20chosen%20auth%20method%20is%20an%20SMS%20or%20phone%20call%20then%20although%20the%20code%20is%20delivered%20to%20the%20user%20they%20have%20no%20method%20to%20enter%20it%20to%20gain%20access%20to%20RDP.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1557002%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Application%20Proxy%20now%20supports%20the%20Remote%20Desktop%20Services%20web%20client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1557002%22%20slang%3D%22en-US%22%3E%3CP%20data-unlink%3D%22true%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53477%22%20target%3D%22_blank%22%3E%40Alex%20Simons%20(AZURE)%3C%2FA%3E%26nbsp%3BYou%20may%20want%20to%20update%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fremote%2Fremote-desktop-services%2Fclients%2Fremote-desktop-web-client-admin%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%26nbsp%3Bpage%3C%2FA%3E%20as%20it%20still%20states%20RDS%20web%20client%20is%20not%20supported%20with%20AppProxy.%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Matt%20Lucas_1-1596135501105.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F209125i3FF28B79FDC9FB4F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Matt%20Lucas_1-1596135501105.png%22%20alt%3D%22Matt%20Lucas_1-1596135501105.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorMatt%20Lucas_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20id%3D%22tinyMceEditorMatt%20Lucas_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1558072%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Application%20Proxy%20now%20supports%20the%20Remote%20Desktop%20Services%20web%20client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1558072%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20just%20noticed%20that%20in%20your%20diagram%2C%20ALL%20components%20are%20hosted%20in%20Azure.%20While%20this%20may%20possible%20longterm%2C%20for%20many%20of%20us%20(including%20me!)%20while%20using%20Azure%20AD%20and%20some%20hosted%20office%20apps%20is%20possible%2C%20all%20of%20our%20RDS%20environment%20remains%20on%20our%20local%20LAN.%20So%20far%2C%20any%20attempts%20to%20introduce%20Conditional%20Access%20have%20required%20multiple%20entries%20of%20user%2Fpassword%20or%20linking%20to%20an%20NPS%20server%20which%20provided%20no%20user%20feedback.%20Can%20you%20confirm%20that%20with%20this%20new%20support%20we%20should%20be%20able%20to%20publish%20our%20on%20prem%20RDS%20farm%20through%20the%20My%20Apps%20Portal%20requiring%20no%20further%20user%2Fpassword%20entry%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1558804%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Application%20Proxy%20now%20supports%20the%20Remote%20Desktop%20Services%20web%20client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1558804%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20RDS%20docs%20should%20be%20updated%20shortly%20to%20reflect%20the%20changes.%20As%20for%20the%20questions%20around%20login%20prompts%2C%20it%20is%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%26nbsp%3Bexpected%20and%20similar%20to%20the%20existing%20functionality.%20If%20the%20user%E2%80%99s%20computer%20is%20Azure%20AD%20joined%2C%20the%20user%20signs%20in%20to%20Azure%20AD%20automatically.%20The%20user%20will%20still%20need%20to%20provide%20their%20credentials%20on%20the%20RDWeb%20sign-in%20form.%20We're%20still%20investigating%20options%20for%20how%20to%20simplify%20this.%20Thank%20you%20for%20the%20feedback!%20Feel%20free%20to%20reach%20out%20to%20us%20at%20%3CA%20href%3D%22mailto%3Aaadapfeedback%40microsoft%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eaadapfeedback%40microsoft.com%26nbsp%3B%3C%2FA%3E%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3Eif%20you%20have%20any%20other%20questions%20or%20feedback.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E

Howdy folks!

 

Today we’re announcing the public preview of Azure AD Application Proxy (App Proxy) support for the Remote Desktop Services (RDS) web client. Many of you are already using App Proxy for applications hosted on RDS and we’ve seen a lot of requests for extending support to the RDS web client as well.

 

With this preview, you can now use the RDS web client even when App Proxy provides secure remote access to RDS. The web client works on any HTML5-capable browser such as Microsoft Edge, Internet Explorer 11, Google Chrome, Safari, or Mozilla Firefox (v55.0 and later). You can push full desktops or remote apps to the Remote Desktop web client. The remote apps are hosted on the virtualized machine but appear as if they’re running on the user's desktop like local applications. The apps also have their own taskbar entry and can be resized and moved across monitors.

 

Launch rich client apps with a full desktop like experienceLaunch rich client apps with a full desktop like experience

 

Why use App Proxy with RDS?

RDS allows you to extend virtual desktops and applications to any device while helping keep critical intellectual property secure. By using this virtualization platform, you can deploy all types of applications such as Windows apps and other rich client apps as-is with no re-writing required. By using App Proxy with RDS you can reduce the attack surface of your RDS deployment by enforcing pre-authentication and Conditional Access policies like requiring Multi-Factor Authentication (MFA) or using a compliant device before users can access RDS. App Proxy also doesn't require you to open inbound connections through your firewall.

 

Getting started

To use the RDS web client with App Proxy, first make sure to update your App Proxy connectors to the latest version, 1.5.1975.0. If you haven’t already, you will need to configure RDS to work with App Proxy. In this configuration, App Proxy will handle the internet facing component of your RDS deployment and protect all traffic with pre-authentication and any Conditional Access policies in place. For steps on how to do this, see Publish Remote Desktop with Azure AD Application Proxy.

 

How Azure AD App Proxy works in an RDS deploymentHow Azure AD App Proxy works in an RDS deployment

 

Configure the Remote Desktop web client

Next, complete setup by enabling the Remote Desktop web client for user access. See details on how to do this at Set up the Remote Desktop web client for your users. Now your users can use the external URL to access the client from their browser, or they can launch the app from the My Apps portal.

 

As always, we’d love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the Azure AD feedback forum.

 

Best regards,

Alex Simons (@alex_a_simons)

Corporate Vice President Program Management

Microsoft Identity Division

 

Learn more about Microsoft identity:

6 Comments
Frequent Visitor

My team have been trying for ages to get something like this running smoothly.

We have a requirement to add MFA/conditional access to our Remote Desktop setup. 

 

Installing the HTML5 WebClient was our "go to" solution when lockdown hit and we needed to enable working from home for a large number of users but, without MFA support its not viable in its current setup to stay in place longterm.

 

If installed correctly using AppProxy (and using the MyApps portal) would this solution successfully pass the username/password credentials to the RDP gateway/session hosts so that the end user only ever has to enter his credentials once ?  Every attempt we have tried so far with App Proxy seems to force the user to enter user/password two or more times.

 

Thanks, 

 

Andy

 

Contributor

@AndyBH couldn't agree more. In our testing with App Proxy and RDS apps, users had to enter their credentials at least 3 times before they got to their app making it, in its current situation, something we cannot sell to our employee base (and rightly so).

I'm not saying it's something that's easy for MS to fix but would be nice if we know if they were actively working on it or not :)

 

Frequent Visitor

@Steve Hernou  - Good to know that others have the exact same experience. I agree that no "standard user" would be able to accept that which is why we also have not been able to roll it out. The closest other option we've found is by integrating an NPS server which will trigger the login authorization request on the Authenticator App if you have it but there is nothing on the PC screen to suggest its doing that. If your chosen auth method is an SMS or phone call then although the code is delivered to the user they have no method to enter it to gain access to RDP.

Microsoft

@Alex Simons (AZURE) You may want to update this page as it still states RDS web client is not supported with AppProxy. Matt Lucas_1-1596135501105.png

 
 

 

Frequent Visitor

I've just noticed that in your diagram, ALL components are hosted in Azure. While this may possible longterm, for many of us (including me!) while using Azure AD and some hosted office apps is possible, all of our RDS environment remains on our local LAN. So far, any attempts to introduce Conditional Access have required multiple entries of user/password or linking to an NPS server which provided no user feedback. Can you confirm that with this new support we should be able to publish our on prem RDS farm through the My Apps Portal requiring no further user/password entry ?

Microsoft

The RDS docs should be updated shortly to reflect the changes. As for the questions around login prompts, it is expected and similar to the existing functionality. If the user’s computer is Azure AD joined, the user signs in to Azure AD automatically. The user will still need to provide their credentials on the RDWeb sign-in form. We're still investigating options for how to simplify this. Thank you for the feedback! Feel free to reach out to us at aadapfeedback@microsoft.com if you have any other questions or feedback.