Azure AD Application Proxy - Remote Desktop Services (RDS) RDP UDP Support
A client uses an AAD app proxy to publish RDS and followed these Microsoft docs to set everything up ... https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-integrate-with-remote-desktop-services Users authenticate against the remote desktop gateway to then access VMs that are hosted on-prem. Users now report that RDP sessions are somewhat slow and laggy with the sessions freezing every 10-20s for 1-2s. We've checked the entire environment and found out that RDP sessions are using UDP 3391 but TCP 443. There seems to be a limitation with the app proxy being unable to support UDP as first noticed in 2017 (https://social.technet.microsoft.com/Forums/windows/en-US/800bbe5e-afbc-46ed-bdb9-9e3f942337c7/performance-issues-when-using-rds-2016-in-azure-with-azure-ad-ds-and-azure-app-proxy), then again in 2019 (https://social.technet.microsoft.com/Forums/en-US/8dd34139-9aa2-4339-8aed-1c6e645b5766/rds2019-azure-web-proxy-udp) and again in 2022 (https://feedback.azure.com/d365community/idea/f3a05c53-853d-ec11-a819-000d3ae2b5ca). Can someone comfirm this? Is there an update from Microsoft on when the app proxy might support UDP?
Azure App Proxy timeout
We are running our desktop app behind Azure App Proxy with preauth enabled. The desktop app connects to a server to fetch and update data. When running it directly, it runs fine; however, behind the Azure App Proxy, we get a timeout error after 10 minutes. Looking through the HAR network logs, the only cookie that has a 10-minute timeout is the AzureAppProxyPreauthSessionCookie. Is there a way to avoid such timeouts without disabling preauth for that desktop app? The desktop app authenticates with a server through an embedded WebView2 window, so is there something that should be done on the desktop app or the server to integrate with Azure App Proxy?
Entra Global Secure Access/ Internet Access
We have apps in Azure and AWS. These cloud apps are IP restricted. Staff can only access these apps if they're working in the office or connected to the office VPN (ie: traffic is proxy'd over the vpn and out through the office wan ip). Rather than VPN, could we use 'Entra Internet Access' to allow remote users access to these Azure/AWS cloud apps? Is that possible and if so, would we need to install the Global Secure Access connectors in Azure and AWS or is there some kind of shared egress IP we can use and whitelist in Azure/AWS?
Spring Boot SAML Authentication Issue with Identity Provider (IdP) on Virtual Machine
I am developing a Spring Boot application with SAML-based Single Sign-On (SSO) authentication, using an Identity Provider (IdP) such as Azure (Microsoft Entra ID). I have configured the IdP with the application and used a proxy to communicate my application with the IDP, which is running at http://localhost:8080. Everything works fine locally. Azure Active Directory (AAD) The problem arises when I deploy the same Spring Boot project on a virtual machine (VM) to run it. The VM address is http://xx.y.z.ww:8080/. Since the IdP is configured with the ACS location as http://localhost:8080/login/saml2/sso/adfs I have attempted to configure the IDP with the VM address (http://xx.y.z.ww:8080/) but it only accepts addresses with 'localhost'. Is there a workaround or solution to achieve the same behavior on the VM? How can I configure the IdP or Spring Boot application to handle this scenario properly?" Is there a solution to achieve the same behavior on the VM? How can I configure the IdP or Spring Boot application to handle this scenario properly?. AuthenticationAzure Active Directory (AAD)AzureSSO
Microsoft alert regarding the Yahoo mail app
I have been receiving Admin alerts from Microsoft stating: "We've detected users in your tenant may have had email messages unexpectedly deleted by the Yahoo mail app". The recommended action is to identify users and work with them to help them retrieve the emails. To identify the users, we are instructed to look up the app in the Entra portal by app ID, then identify the user. I did, I got a match to an Object ID, which I assume is the user ID. So I looked up the Object ID on the Entra Admin Center, in the search box at the top of Home, Users, All users, and I get no matches. Am I not looking correctly, or the message saying that there are users in my org using that app is a generic message and doesn't really apply to us? Thanks.Entra Private network Connector very slow compared to direct access using pass-through
I have a web based application with a backend SQL server attached to it. We have both internal and external users accessing it. Internal users go directly to the https website, while external users go through the application proxy. After logging in, and open a project which fires off a SQL query, there is a huge delay when going through the proxy that i cant figure out why. Internally looking up a project takes between 10-20 sec depending on the size of the project, while using the same method and same project through the proxy we are waiting 1-2 minutes for the same result. The old server is running in a DMZ sone, and i want to replace this with a app proxy based server, but being so slow I'm not able to move forward. Any ideas what to look for?Azure Application Proxy - Add application segments gray out
We are try to add Azure Application Proxy - wildcard application as when add then Add application segments gray out and not allow to click to add function Internal Url : https://*.test.com External Url : https://*.test.com please help me how to configure to can Add application segments
Global Secure Access bypass (Internet and web filtering)
Hi, I understand in Global Secure Access "365" I can use a Conditional Access Policy to block access to 365 if not from a "All Compliant Network locations" to prevent a user pausing the Client. But If I want to use Global Secure Access "Internet" and use the web filtering, how do I prevent a user pausing the client and bypassing the restriction. I assume this would be a Conditional access rule, but how would you prevent any/all Internet traffic bypassing the client on pause?
