cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Control the Application behavior within the organization network

dilanmic
Brass Contributor

‎Oct 07 2022 08:41 AM - edited ‎Oct 07 2022 09:06 AM

‎Oct 07 2022 08:41 AM - edited ‎Oct 07 2022 09:06 AM

Control the Application behavior within the organization network

Hi All,

 

one of my client is having below concerns and wanted to know whether these would be possible scenarios.

 

1)  Can we block user from accessing to Shared drive and RDP within Organization's network through Conditional access policy or any other way? if user is outside of Organization's network this would be allowed. 

2)  Can we control on-premises application like SAP through Conditional Access policy or any other way? Please note application does have a web URL.

 

Thanks in advance

Dilan

1,324 Views
0 Likes
4 Replies
Reply
4 Replies
best response confirmed by dilanmic (Brass Contributor)
Jonhed

‎Oct 09 2022 06:44 AM

‎Oct 09 2022 06:44 AM

Solution

Re: Control the Application behavior within the organization network

Could you elaborate on what the goals are?

1) Where are these shared drives and servers? Are they managed by the company?
Conditional access only works on applications and resources that use Azure AD. Resources can be both on-premise and in the cloud, but this does not work with regular file servers and RDP access.
This would normally be managed via firewalls and local/domain authentication.
If you want to block RDP to resources outside of the company network, I would block 3389 in the firewall.
If you want to block access to shared drives such as Box or Dropbox, I would block this with a proxy or firewall.

2) You can extend conditional access to on-premises applications by using Azure AD Application Proxy.
https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy
0 Likes
Reply
dilanmic

‎Oct 09 2022 08:24 AM

‎Oct 09 2022 08:24 AM

Re: Control the Application behavior within the organization network

Thank you very much!

Just wanted to double confirm, Can we use Azure AD Application Proxy for On-premises application which doesn't have URL access. my client is using just a installed application.

thanks again,
Dilan
0 Likes
Reply
Jonhed

‎Oct 09 2022 08:34 AM - edited ‎Oct 09 2022 08:35 AM

‎Oct 09 2022 08:34 AM - edited ‎Oct 09 2022 08:35 AM

Re: Control the Application behavior within the organization network

Pretty sure a URL is required.
https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/what-is-application-proxy

Also, should have mentioned this, but as is mentioned in the link I sent you, App Proxy is meant to enable safe remote access to on-premises applications, and is not for accessing internal applications from the internal network.
"It's important to understand that Azure AD Application Proxy is intended as a VPN or reverse proxy replacement for roaming (or remote) users who need access to internal resources. It's not intended for internal users on the corporate network. Internal users who unnecessarily use Application Proxy can introduce unexpected and undesirable performance issues."

0 Likes
Reply
dilanmic

‎Oct 09 2022 08:44 AM - edited ‎Oct 09 2022 08:46 AM

‎Oct 09 2022 08:44 AM - edited ‎Oct 09 2022 08:46 AM

Re: Control the Application behavior within the organization network

Thank you very much.
In this case, Azure AD proxy is not the good solution for my client, since they doesn't have URL access for the application and again purpose of this implementing is they want to control the application login behavior by end users such as only allowed applications can be access within the internal networks. Among those applications, they have SAP application which is Onprem application.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by dilanmic (Brass Contributor)
Jonhed

‎Oct 09 2022 06:44 AM

‎Oct 09 2022 06:44 AM

Solution

Re: Control the Application behavior within the organization network

Could you elaborate on what the goals are?

1) Where are these shared drives and servers? Are they managed by the company?
Conditional access only works on applications and resources that use Azure AD. Resources can be both on-premise and in the cloud, but this does not work with regular file servers and RDP access.
This would normally be managed via firewalls and local/domain authentication.
If you want to block RDP to resources outside of the company network, I would block 3389 in the firewall.
If you want to block access to shared drives such as Box or Dropbox, I would block this with a proxy or firewall.

2) You can extend conditional access to on-premises applications by using Azure AD Application Proxy.
https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy

View solution in original post

0 Likes
Reply