Azure App Proxy and SharePoint Online

%3CLINGO-SUB%20id%3D%22lingo-sub-65304%22%20slang%3D%22en-US%22%3EAzure%20App%20Proxy%20and%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-65304%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20working%20on%20validating%20whether%20we%20can%20access%20an%20internal%20on-prem%20service%2C%20exposed%20externally%20via%20Azure%20App%20Proxy%2C%20in%20a%20client%20side%20code.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EStructure%20of%20things%20%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E1.%20An%20internal%20service%3C%2FP%3E%3CP%3E2.%20Azure%20App%20Proxy%20exposing%20the%20internal%20service%20externally%3C%2FP%3E%3CP%3E3.%20A%20SharePoint%20Online%20Page%20-%20On%20this%20page%20I%20am%20trying%20to%20validate%20whether%20I%20can%20access%20the%20service%20via%20app%20proxy%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EFlow%20%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E1.%20User%20signs-in%20to%20the%20SharePoint%20Online%20site%3C%2FP%3E%3CP%3E2.%20Navigates%20to%20a%20page%20that%20pulls%20data%20from%20azure%20app%20proxy%20service%3C%2FP%3E%3CP%3E3.%20User%20should%20see%20data%20from%20internal%20service%20passed%20over%20through%20Azure%20App%20Proxy%20without%20any%20authentication%20challenge%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20the%20above%20flow%20possible%3F%20I%20tried%20the%20same%20and%20it%20fails%20where%20the%20call%20to%20Azure%20App%20Proxy%20is%20stopped%20with%20status%20code%20307.%20I%20suspect%20the%20call%20is%20deemed%20as%20unauthenticated%20and%20hence%20failing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHad%20a%20look%20at%20the%20various%20cookies%20passed%20when%20I%20access%20SharePoint%20Online%20-%20FedAuth%20and%20rtfa%3C%2FP%3E%3CP%3EHad%20a%20look%20at%20the%20various%20cookies%20passed%20when%20I%20access%20Azure%20App%20Proxy%20directly%20and%20once%20authenticated%20by%20login%20-%20AzureAppProxyUserSessionCookie%2C%20ASP.NET_SessionId%2C%20AzureAppProxyAccessCookie%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConsidering%20there%20are%20different%20set%20of%20cookies%20for%20each%20authenticated%20session%2C%20I%20am%20doubtful%2C%20the%20desired%20flow%20is%20plausible.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-65304%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Azure%20Stack%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-392135%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20App%20Proxy%20and%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392135%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40121%22%20target%3D%22_blank%22%3E%40Nitin%20Rastogi%3C%2FA%3E%26nbsp%3Bwas%20wondering%20if%20you%20were%20ever%20able%20to%20find%20a%20solution%20to%20this.%20We%20are%20exploring%20the%20same%20capability%20at%20my%20company%20and%20have%20found%20that%20we%20can%20retrieve%20data%20from%20our%20on-prem%20services%20via%20client-side%20call%20in%20SharePoint%20Online.%20However%2C%20where%20we%20have%20run%20into%20issues%20is%20when%20we%20try%20to%20post%20to%20those%20services%20the%20redirect%20to%20the%20login%20is%20throwing%20CORS%20errors%20and%20we%20haven't%20figured%20out%20how%20to%20get%20this%20to%20work.%26nbsp%3B%20So%20when%20I%20saw%20your%20post%20I%20was%20wondering%20if%20you%20were%20able%20to%20get%20it%20working.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-65499%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20App%20Proxy%20and%20SharePoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-65499%22%20slang%3D%22en-US%22%3E307%20was%20coming%20from%20usage%20of%20%22http%22%20instead%20of%20%22https%22.%20Have%20changed%20it%20to%20%22https%22%20and%20now%20I%20get%20302%2C%20which%20is%20to%20the%20login%20page.%20Is%20this%20expected%3F%3CBR%20%2F%3E%3CBR%20%2F%3EBoth%20the%20applications%20-%20SharePoint%20Online%20and%20Azure%20App%20Proxy%20are%20being%20authenticated%20by%20same%20STS%20service%20i.e.%20Azure%20AD%20STS%20and%20I%20thought%2C%20the%20cookie%20transformation%20would%20be%20done%20internally%20by%20the%20product.%20However%2C%20this%20doesn't%20seem%20to%20be%20the%20case.%3CBR%20%2F%3E%3CBR%20%2F%3ESuggestion%2C%20clue%20-%20any%20pointer%20would%20help%20here.%3C%2FLINGO-BODY%3E
New Contributor

I am working on validating whether we can access an internal on-prem service, exposed externally via Azure App Proxy, in a client side code.

 

Structure of things

1. An internal service

2. Azure App Proxy exposing the internal service externally

3. A SharePoint Online Page - On this page I am trying to validate whether I can access the service via app proxy

 

Flow

1. User signs-in to the SharePoint Online site

2. Navigates to a page that pulls data from azure app proxy service

3. User should see data from internal service passed over through Azure App Proxy without any authentication challenge

 

Is the above flow possible? I tried the same and it fails where the call to Azure App Proxy is stopped with status code 307. I suspect the call is deemed as unauthenticated and hence failing.

 

Had a look at the various cookies passed when I access SharePoint Online - FedAuth and rtfa

Had a look at the various cookies passed when I access Azure App Proxy directly and once authenticated by login - AzureAppProxyUserSessionCookie, ASP.NET_SessionId, AzureAppProxyAccessCookie

 

Considering there are different set of cookies for each authenticated session, I am doubtful, the desired flow is plausible.

2 Replies
307 was coming from usage of "http" instead of "https". Have changed it to "https" and now I get 302, which is to the login page. Is this expected?

Both the applications - SharePoint Online and Azure App Proxy are being authenticated by same STS service i.e. Azure AD STS and I thought, the cookie transformation would be done internally by the product. However, this doesn't seem to be the case.

Suggestion, clue - any pointer would help here.

@Nitin Rastogi was wondering if you were ever able to find a solution to this. We are exploring the same capability at my company and have found that we can retrieve data from our on-prem services via client-side call in SharePoint Online. However, where we have run into issues is when we try to post to those services the redirect to the login is throwing CORS errors and we haven't figured out how to get this to work.  So when I saw your post I was wondering if you were able to get it working.