Secure remote access to on-premises apps
Published Apr 09 2020 10:00 AM 14.9K Views

As COVID-19 continues to require social distancing to ensure everyone’s safety, we have seen many companies support their employee’s needs and promote safety by allowing them to work from home and use online tools to collaborate. This has led to the need for remote access to all company applications, including those on-premises, from anywhere, and any device. When exposing these applications to the internet, it is imperative that company data stays protected and only the right users get access to the right resources.


We recently shared 5 immediate steps you can take to enable remote work with Azure AD. In the third step, we talked about providing secure access to your on-premises applications from outside your corporate network. Today we want to share some suggestions on how to protect your on-premises applications the same way you protect Office 365 or other SaaS applications like ServiceNow, Workday, or Zoom, with capabilities like Conditional Access policies and Identity Protection.


Azure AD offers several integrations for securing your on-premises SaaS applications like SAP NetWeaver, SAP Fiori systems, Oracle PeopleSoft and E-Business Suite, and Atlassian JIRA and Confluence through the Azure AD App Gallery. You can find more step by step guides for configuring SaaS applications at:


Another key feature of Azure AD is Application Proxy, a service that uses a connector (a light-weight agent) to provide secure remote access to on-premises apps and allows you to manage and govern your apps from Azure AD without having to change how your apps work. Learn more.


Alternatively, if you’re using Akamai Enterprise Application Access (EAA), Citrix Application Delivery Controller (ADC), F5 BIG-IP Access Policy Manager (APM), or Zscaler Private Access (ZPA), Microsoft has partnerships to help you provide remote access securely. How to implement the following strategies may vary from partner to partner.


Secure your on-premises apps under one integrated identity control plane

Exposing on-premises apps to the internet for remote access leads to increased complexity and a larger surface area that security teams need to protect. It is important to put the right controls in place so that you can have confidence only the right people are accessing your organization's applications and data. One way to reduce the attack surface area with Azure AD is by connecting your on-premises apps via App Proxy or a partner integration and enforcing per app Conditional Access policies such as MFA from all locations.


See our full App Proxy deployment guide here. You can also find tutorials for integrating popular apps like SharePoint, Remote Desktop Services, Tableau Server, and Qlik Sense with App Proxy. For securing your VPN access using Cisco AnyConnect, Azure AD also has a tutorial for Cisco AnyConnect through the Azure AD App Gallery. For deployment guides with our partner integrations see here.


If you do not use Conditional Access, you can enable Security Defaults to protect all your Azure AD apps. Alternatively, if you are using Identity Protection, you can also use Risk-based Conditional Access which uses Microsoft’s trillions of signals per day to identify and protect customers from threats and can proactively deflect dynamic attacks.


Simplify access to apps with classic authentication modes

A common pain point of managing on-premises apps is supporting different kinds of authentication modes. Users get frustrated if they cannot easily log in or must call the helpdesk to get unblocked. By enabling single sign-on with Azure AD, users get a consistent login experience, and are automatically signed into the backend application, with no double log-in prompts. Single single-on effectively modernizes your on-premises app’s login experience without requiring any changes to the app.


App Proxy supports single sign-on to popular classic authentication modes such as Integrated Windows Authentication (IWA), where connectors perform Kerberos Constrained Delegation (KCD) to sign in on behalf of users. Learn more about the different single sign-on modes supported by App Proxy. Our partnership integrations also provide support for a rich variety of classic applications such as header-based authentication, RDP, SSH, and others. Learn more about options here.


Give users a consistent experience when accessing on-premises apps

Some users get to their company’s SharePoint or intranet portal by going straight to their browser to visit the website. When publishing your application for remote access, a best practice is to configure the external domain name of your application to match the internal domain name. This way users can get to their apps from home using the same URLs they use at work, and embedded links between apps continue to work. Learn more about how to use a custom domain with App Proxy. If you can’t use custom domains, App Proxy also offers different options for link translation in both the header and body of your application.


Another option is consolidating all your applications in one place for easy access. If your users are already using Office 365 Portal, then all your apps connected to Azure AD will also show up in the navigation menu. Users can also get to these apps via the My Apps Portal which is a centralized end-user app portal available in Azure AD.


Ensure high availability for remote access to apps

Many companies are dealing with unprecedented levels of remote traffic and it is important to have high availability to remote access connection points. App Proxy connectors minimize the overhead in planning for high availability by taking care of all the high-availability tasks. Each connector can serve multiple applications and requests are only routed to available connectors. Connectors also safely auto-upgrade themselves one at a time. We recommend installing at least two connectors for high availability to your apps and placing them as close as possible to your backend applications to reduce latency. You can also use connectors in front of app servers that are load-balanced. Learn more about best practices for setting up your connectors here and automating management using our PowerShell samples. As you scale up usage to your apps you can continue to monitor usage via the sign-in logs in Azure AD.


Consider a lift-and-shift approach for your apps for increased resiliency

You can also increase the resiliency of your applications by lifting and shifting critical apps to cloud platforms like Azure. You can leverage Azure AD Domain Services to serve as a virtual directory for your applications on the cloud without extending your on-premises domain controllers for rapid application deployments. These apps can also be protected with App Proxy or partner integrations. Learn more.


Scale up access to desktop and app virtualization solutions

We know that in certain scenarios, especially critical and industries like healthcare and financial services, you might need to use on-demand compute capacity to provide secure access to a remote desktop endpoint. This can also be secured with the same Conditional Access policies using Windows Virtual Desktop. With Windows Virtual Desktop you can deploy Windows 10 and bring Remote Desktop Services (RDS), as well as Windows Server desktops and apps. Deploy full desktops and remote applications for these workloads that users can simply connect to through their Windows Virtual Desktop clients on any device.


Connecting your on-premises applications to Azure AD allows you to quickly provide secure remote access for your users while protecting company data. Stay safe and be well.


Need more support?


Microsoft FastTrack is a program to help you deploy, drive usage, and adopt best practices for cloud technologies. This service is available for customers with 150 or more licenses of an eligible plan – go here to request assistance. Microsoft Partner solutions can also help you accelerate your journey towards Secure Work from Home. Search for key words like Identity & Access Management, Conditional Access, Windows Virtual Desktop, Multi factor Authentication for finding a partner solution through our Partner Solution Finder.


Version history
Last update:
‎Jul 27 2020 07:10 PM
Updated by: