Enable remote access to Work Folders using Azure Active Directory Application Proxy

First published on TECHNET on May 31, 2017
We're excited to announce Work Folders now supports using Azure Active Directory Application Proxy to enable remote users to securely access their files on the Work Folders server.

Work Folders supports using VPN, Web Application Proxy (WAP) or a third-party reverse proxy solution to enable remote users access to their files on the Work Folders server. These remote access solutions require expensive hardware or additional on-premises servers that need to be managed.

Benefits of using Azure AD Application Proxy

• It's easier to manage and more secure than on-premises solutions because you don't have to open any inbound connections through your firewall.
• When you publish Work Folders using Azure AD Application Proxy, you can take advantage of the rich authorization controls and security analytics in Azure.
• Improved single sign on experience, the Work Folders clients prompt less frequently for authentication

To learn more about Azure Active Directory Application Proxy, please see the following article: How to provide secure remote access to on-premises applications

To enable Work Folders access using Azure AD Application proxy, please follow the steps below.

 

Prerequisites

Before you can enable Work Folders access using Azure AD Application Proxy, you need to have:

• A Microsoft Azure AD basic or premium subscription and an Azure AD directory for which you are a global administrator

• An Active Directory Domain Services forest with Windows Server 2012 R2 schema extensions

• Your on-premises Active Directory user accounts are synchronized to Azure AD using Azure AD Connect
  
  
  • Note: Device writeback should be enabled if using conditional access

• A Work Folders server running Windows Server 2012 R2 or Windows Server 2016
  
  
  • See Deploying Work Folders on TechNet to configure the Work Folders server and sync shares

• A server running Windows Server 2012 R2 or higher on which you can install the Application Proxy Connector

• A Windows 10 version 1703, Android or iOS client

 

Overview of the steps required to enable Work Folders access using Azure AD Application proxy

High-level overview of the steps required:

1. Create a Work Folders proxy application in Azure AD and give users access.
2. Create a Work Folders native application in Azure AD.
3. Install the Application Proxy Connector on an on-premises server.
4. Verify the Application Proxy Connector status.
5. Verify the Work Folders server is configured to use Integrated Windows Authentication.
6. Create an SPN for the Work Folders server.
7. Configure constrained delegation for the App Proxy Connector server.
8. Optional: Install the Work Folders certificate on the App Proxy Connector server.
9. Optional: Enable Token Broker for Windows 10 version 1703 clients.
10. Configure a Work Folders client to use the Azure AD App Proxy URL.

 

Create a Work Folders proxy application in Azure AD and give users access

• Sign in to Azure with your global administrator account.
• Select Azure Active Directory , click Switch Directory and then select the directory that will be used for the Work Folders proxy application .
• Click Enterprise applications and then click New application.
• On the Categories page , click All and then click On-premises application.
• On the Add your own on-premises application Add
• Name = You can choose any name. For this example, we'll use Work Folders Proxy
• Internal URL = https://workfolders.domain.com
  • Note: This value should match the internal URL of your Work Folders server. If workfolders.domain.com is used for the internal URL, a workfolders CNAME record must exist in DNS.
• External URL = The URL is auto-populated based on the application name but can be changed
  • Note or write down the External URL. This URL will be used by the Work Folders client to access the Work Folders server.
• Pre Authentication = Azure Active Directory

• Translate URL in Headers = Yes

• Backend Application Timeout = Default

• Connector Group = Default

Example

 

• Click OK to the notification that no connectors are configured (will be done in a later step).
• On the Work Folders Proxy enterprise application page, click Single sign-on.
• Change Mode to Integrated Windows Authentication .
• In the Internal Application SPN field, enter http/workfolders.domain.com
  
  • Note: This value should match the FQDN of your Work Folders server
• Click Save to save the changes.
• On the Work Folders Proxy enterprise application page, click Users and groups.
• Click Add user , select the users and groups that can access the Work Folders proxy application and click Assign.

Note : If you have multiple Work Folders servers, you need to create a proxy application for each Work Folders server (repeat the steps above).

 

Create a Work Folders native application in Azure AD

• In the Azure portal, click Azure Active Directory and verify the directory that was used to create the Work Folders proxy application is selected.
• Click App registrations and then click New application registration.
• On the Create page, enter the following and click Create:
• Name = You can choose any name. For this example, we'll use Work Folders Native

• Application Type = Native

• Redirect URI = https://168f3ee4-63fc-4723-a61a-6473f6cb515c/redir

Example

 

• On the App registrations page, click Work Folders Native and then click Settings.
• Select Redirect URIS under Settings, add the following URIs one at a time and click Save:
• msauth://code/x-msauth-msworkfolders%3A%2F%2Fcom.microsoft.workfolders

• x-msauth-msworkfolders://com.microsoft.workfolders

• msauth://com.microsoft.workfolders/Cb61uxHImS0Da29PGZyTdl9APp0%3D

• ms-appx-web://microsoft.aad.brokerplugin/*
  
  • Replace * with the Application ID that is listed for the Work Folders Native application. If the Application ID is 3996076e-7ec2-4e87-a57f-5a69b7aa8865, the URI should be ms-appx-web://microsoft.aad.brokerplugin/3996076e-7ec2-4e87-a57f-5a69b7aa8865

Example

 

• Select Required permissions under Settings.
• Click Windows Azure Active Directory , grant the following permissions and click Save:
• Sign in and read user profile
• Access the directory as the signed-in user
• Under Required permissions , click Add , click Select an API , select Windows Azure Service Management API and click Select .
• On the Select Permissions for Windows Azure Service Management API page, grant the following permission, click Select and then click Done :

• Access Azure Service Management as organization users
• Under Required permissions , click Add , click Select an API , in the search box type Work Folders Proxy (or the name of the Work Folders proxy application).
• Click Work Folders Proxy and then click Select.
• On the Select Permissions for Work Folders Proxy page, grant the following permission, click Select and then click Done:

• Access Work Folders Proxy

Note: If you have multiple Work Folders servers and you created multiple Work Folders proxy applications, please repeat the steps above to give the Work Folders native application access to all Work Folders proxy applications.

 

• Verify the following applications are listed under the Required Permissions section:

 

Note: The Work Folders native application must be set to public. Under Advanced settings, verify Treat application as a public client is set to Yes.

 

Install the Application Proxy Connector on an on-premises server

1. In the Azure portal, click Azure Active Directory and verify the directory that was used to create the Work Folders proxy application is selected.
2. Click Application proxy.
3. Click Enable application proxy if not enabled.
4. Click Download connector and follow the steps to download the AADApplicationProxyConnectorInstaller.exe package.
5. Copy the AADApplicationProxyConnectorInstaller.exe installer package to the server that will run the Application Proxy Connector.
6. Run the AADApplicationProxyConnectorInstaller.exe installer package on the Application Proxy Connector server.
7. Follow the instructions to complete the installation.

To learn more about the Application Proxy Connector and the outbound network ports that are required, please see the following article: Get started with Application Proxy and install the connector

 

Verify the Application Proxy Connector status

1. In the Azure portal, click Azure Active Directory and verify the directory that was used to create the Work Folders proxy application is selected.
2. Click Application proxy .
3. In the Connector groups and connectors section, verify the connector is listed and the status is Active .

 

Verify the Work Folders server is configured to use Integrated Windows Authentication

The Work Folders server is configured by default to use Integrated Windows Authentication.

 

To verify the server is configured properly, perform the following steps:

1. On the Work Folders server, open Server Manager.
2. Click File and Storage Services , click Servers , and then select your Work Folders server in the list.
3. Right-click the server name and click Work Folders Settings.
4. Click Windows Authentication (if not selected) and click OK .

Note : If the Work Folders environment is currently configured to use ADFS authentication, changing the authentication method from ADFS to Windows Authentication will cause existing users to fail to authenticate. To resolve this issue, the Work Folders clients will need to be re-configured to use the Work Folders proxy application URL or create another Work Folders server that will be used for Azure AD Application Proxy.

 

Create an SPN for the Work Folders server

1. On a domain controller , open an elevated command prompt.
2. Type the following command and hit enter :

setspn -S http/workfolders.domain.com servername

Example : setspn -S http/workfolders.contoso.com 2016-wf

 

In the example above, the FQDN for the work folders server is workfolders.contoso.com and Work Folders server name is 2016-wf.

 

Note : The SPN value entered using the setspn command must match the SPN value entered in the Work Folders proxy application in the Azure portal.

 

Example

 

 

Configure constrained delegation for the App Proxy Connector server

1. On a domain controller , open Active Directory Users and Computers.
2. Locate the computer the connector is running on (example: 2016-appc).
3. Double-click the computer and then click the Delegation tab.
4. Select Trust this computer for delegation to the specified services only and then select Use any authentication protocol.
5. Click Add , click Users or Computers , enter the Work Folders sever name and click OK.
6. In the Add Services window, select the SPN that was created and click OK,
7. Verify the SPN was added and click OK .

 

Optional: Install the Work Folders certificate on the App Proxy Connector server

You can skip this section if you're not using a self-signed certificate on the Work Folders server.

 

If the Work Folders server is using a self-signed certificate, you need to export the certificate on the Work Folders server and import the certificate on the App Proxy Connector server. This step is necessary for the App Proxy Connector server to communicate with the Work Folders server.

To export the certificate on the Work Folders server, follow these steps:

1. Right-click Start , and then click Run.
2. Type MMC , and then click OK.
3. On the File menu, click Add/Remove Snap-in.
4. In the Available snap-ins list, select Certificates , and then click Add . The Certificates Snap-in Wizard starts.
5. Select Computer account , and then click Next .
6. Select Local computer: (the computer this console is running on) , and then click Finish .
7. Click OK.
8. Expand the folder Console Root\Certificates(Local Computer)\Personal\Certificates.
9. Right-click the Work Folders certificate, click All Tasks , and then click Export.
10. The Certificate Export Wizard opens. Select Yes, export the private key.
11. On the Export File Format page, leave the default options selected, and click Next.
12. Create a password for the certificate. This is the password that you'll use later when you import the certificate to other devices. Click Next.
13. Enter a location and name for the certificate, and then click Finish .

To import the certificate on the App Proxy Connector server, follow these steps:

1. Right-click Start , and then click Run.
2. Type MMC , and then click OK.
3. On the File menu, click Add/Remove Snap-in.
4. In the Available snap-ins list, select Certificates , and then click Add . The Certificates Snap-in Wizard starts.
5. Select Computer account , and then click Next.
6. Select Local computer: (the computer this console is running on) , and then click Finish.
7. Click OK.
8. Expand the folder Console Root\Certificates(Local Computer)\Trusted Root Certification Authorities\Certificates.
9. Right-click Certificates , click All Tasks , and then click Import.
10. Browse to the folder that contains the Work Folders certificate, and follow the instructions in the wizard to import the file and place it in the Trusted Root Certification Authorities store.

 

Optional: Enable Token Broker for Windows 10 version 1703 clients

Token Broker is an authentication broker that supports device registration. When using Token Broker with Azure AD Application Proxy for remote access, the client device can be registered in Azure AD when configuring the Work Folders client. Once the device is registered, device authentication will be used to access the Work Folders server.

Device registration provides the following benefits:

• Improved single sign on experience (fewer authentication prompts)

• Device-based conditional access

How to enable Token Broker

To enable Token Broker on a Windows 10 version 1703 system, enable the "Enables the user of Token Broker for AD FS authentication" group policy setting which is located under User Configuration\Administrative Templates\Windows Components\Work Folders.



For Android and iOS devices, Token Broker will be used automatically when using Azure AD Application Proxy.

How to register devices using the Work Folders client
When Token Broker is enabled on a Windows client, the user will be prompted to register their device in Azure AD when configuring the Work Folders client. If the Work Folders client is managed via group policy, the device is automatically registered in Azure AD.

For devices (Android and iOS), the device is automatically registered when configuring the Work Folders client.

 

Configure a Work Folders client to use the Azure App Proxy URL

How to configure a Windows 10 version 1703 client to use the Azure AD App Proxy URL:

 

1. On the client machine, open the Control Panel and click Work Folders.
2. Click Set up Work Folders.
3. On the Enter your work email address page, click Enter a Work Folders URL instead and enter the Work Folders application proxy URL (e.g., https://workfolders-contoso.msappproxy.net ), and then click Next.
   • Note: The Work Folders application proxy URL is listed as External URL in the Azure portal when you view the Work Folders proxy application settings.
4. Enter your credentials and click Sign in.
5. After you have authenticated, the Introducing Work Folders page is displayed, where you can optionally change the Work Folders directory location. Click Next.
6. On the Security Policies page, check I accept these policies on my PC and click Set up Work Folders.
7. A message is displayed stating that Work Folders has started syncing with your PC. Click Close .

How to configure an Android or iOS client to use the Azure App Proxy URL:

1. Install the Work Folders app from the Google Play Store or Apple App Store.
2. Open the Work Folders app and then click Continue.
3. Click Enter a Work Folders URL Instead.
4. Enter the Work Folders application proxy URL (e.g., https://workfolders-contoso.msappproxy.net ), and then click Continue.
5. Click Launch Web Site, enter your credentials and click Sign In.
6. Add a passcode for the Work Folders application.
7. Work Folders will start syncing your files to your device.

 

Troubleshooting

If you experience an issue when configuring or using a Work Folders client, please see our troubleshooting guide: How to troubleshoot remote access to Work Folders using Azure AD Application Proxy

 

Additional Resources

• Work Folders overview

• Work Folders blog on TechNet

• Azure AD Application Proxy overview

• Azure AD Application Proxy blog on TechNet

• Network topology considerations when using Azure AD Application Proxy

• Management with Microsoft Intune