Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

AAD Application Proxy and B2B Users

Brass Contributor

Just want a confirmation the following would work:

Invite B2B user

Create DISABLED AD Account on local ADDS with the UPN of the invited B2B user (Automation via SCIM Provisioning)

Use AAD App Proxy to provide on-premises application to B2B user

16 Replies
Do you then mean that the Azure AD App Proxy App should use Windows Authentication?
best response confirmed by Alexander Filipin (Brass Contributor)
Solution

Hi, I assume you are looking to use the app proxy for organizations with on-premises apps which are using Windows authentication.  We are currently working on the documentation for this scenario which should be posted to docs.microsoft.com shortly.   In principle, creating an account in a AD domain corresponding to a user in Azure AD, including a guest user, would enable the app proxy to match the user coming in from Azure AD and use KCD for impersonation and permit that user to then access Windows integrated authentication, however there are a number of account lifecycle subtleties here.  So even if you see the app proxy is able to permit the communication flow, I'd suggest waiting for the documentation as there are a number of deloyment considerations and best practices to look at (e.g., what container to put the users in, when to deprovision the user from AD, how to avoid RID exhaustion and end user confusion about "All authenticated users" etc)  Feel free to reach out to us if you have additional questions.  Thanks, Mark  

On-premises application based on windows authentication
AAD App Proxy configured AAD as Preauth method
Internal Auth confiured as Integrated Windows Auth.

This would allow to provide a internal "legacy" app to a B2B user
Hi Mark,
create to hear this :)
Thats exactly what we are looking for. We (Oxford Computer Group Germany) just started working on a SCIM client to get some automation into this for our customers.

Looking forward to see it on docs!
And for the app proxy to use KCD for impersonation the account could be disabled or?

It is correct that the user does not need to authenticate themselves to the AD DS domains.  However the documentation on the combination of AD user account attributes that will be supported with Azure AD App Proxy for Windows integrated auth applications will need to be updated for the B2B guest scenario.  (Typically for employees accessing on-premises apps, the users have been enabled on-premises as well as in Azure AD, so this issue has not yet showed up -- until now when we have guests).  We'll need the Azure AD app proxy for guest scenario validation to be completed so we can ensure the combination of attributes work together, since KCD scenarios are often difficult to get working on first try particularly for multi-domain/multi-forest scenarios.  Feel free to reach out to Sarat or I offline via email if you wish to discuss further.  Thanks, Mark 

Perfect, will reach out to you if we get into detail any time soon.


@Mark Wahl wrote:

It is correct that the user does not need to authenticate themselves to the AD DS domains.  However the documentation on the combination of AD user account attributes that will be supported with Azure AD App Proxy for Windows integrated auth applications will need to be updated for the B2B guest scenario.  (Typically for employees accessing on-premises apps, the users have been enabled on-premises as well as in Azure AD, so this issue has not yet showed up -- until now when we have guests).  We'll need the Azure AD app proxy for guest scenario validation to be completed so we can ensure the combination of attributes work together, since KCD scenarios are often difficult to get working on first try particularly for multi-domain/multi-forest scenarios.  Feel free to reach out to Sarat or I offline via email if you wish to discuss further.  Thanks, Mark 


Mark, do you know if the guide has now been published? Our set up is SharePoint and Web Servers deployed on Windows IIS all deployed in an Azure IaaS environment. These servers are joined to the Azure  AD DS Domain. The application is published using Application Proxy, with IWA and Azure AD. However, we cannot seem to get external users to authorize on the backend application. For consumer identity we get MFA and then get forbidden and autorization errors, for external organisation users, the collaboration invitation does not get delivered to the recipient. I  created the external users in the Azure AD DS environment and modified the UPN to reflect the invited external users -  However no joy. Internal users however works.

 

Can you confirm if this is a supported configuration?


@Mark Wahl wrote:

It is correct that the user does not need to authenticate themselves to the AD DS domains.  However the documentation on the combination of AD user account attributes that will be supported with Azure AD App Proxy for Windows integrated auth applications will need to be updated for the B2B guest scenario.  (Typically for employees accessing on-premises apps, the users have been enabled on-premises as well as in Azure AD, so this issue has not yet showed up -- until now when we have guests).  We'll need the Azure AD app proxy for guest scenario validation to be completed so we can ensure the combination of attributes work together, since KCD scenarios are often difficult to get working on first try particularly for multi-domain/multi-forest scenarios.  Feel free to reach out to Sarat or I offline via email if you wish to discuss further.  Thanks, Mark 


Mark, do you know if the guide has now been published? Our set up is SharePoint and Web Servers deployed on Windows IIS all deployed in an Azure IaaS environment. These servers are joined to the Azure  AD DS Domain. The application is published using Application Proxy, with IWA and Azure AD. However, we cannot seem to get external users to authorize on the backend application. For consumer identity we get MFA and then get forbidden and autorization errors, for external organisation users, the collaboration invitation does not get delivered to the recipient. I  created the external users in the Azure AD DS environment and modified the UPN to reflect the invited external users -  However no joy. Internal users however works.

 

Can you confirm if this is a supported configuration?

 

Thanks.

Hi Mark, just wondering if and where I can find the update documentation about this topic.

 

Thanks in advance,

Ronny 

Any updates from Mark Wahl on the document?

 

Hi Mark, any updates on the documentation?

I Tested this in my lab today and made things work for guest access to on premises applications via Integrated authentication as well as federated authentication by creating a shadow user in the on-premises directory.

However, the UPN passed back to my on-premises applications seems to differ in each case.

 

Federated Authentication seems to be passing my original UPN:

guest.user@guestdirectory.com

 

while Application Proxy is passing my guest UPN from the test tenant:

guest.user_guestdirectory.com#EXT#@mydirectory.com

 

So for now, I ended up having two different Accounts in my on-premises directory. I thought about using a different attribute, but application proxy only gives me a limited choice and I think UPN is still the most convenient pick.

 

Any Ideas on how to overcome this? 

Has there been any progress on the documentation or is any guidance available.

@Mark Wahl I started configuring the new B2B shadow accounts, but it seams that the Application Proxy ignores the "Delegated Login Identity" configuration.

 

This results in the fact that my on-prem application server receives the cloud UPN (the one with #EXT#) instead of the configured sAMAccountName in the on-prem AD and respondes with a 401 since the user is not found/matched.

 

I assumed that the on-prem connector fetched the sAMAccountName form the on-prem AD, but it looks like it's using the onPremisesSamAccountName in Azure AD for this assignment (which is not available for B2B users and read-only via the Graph API).

 

Any suggestion for the issue I'm facing?

 

Regards,

 

Nick

1 best response

Accepted Solutions
best response confirmed by Alexander Filipin (Brass Contributor)
Solution

Hi, I assume you are looking to use the app proxy for organizations with on-premises apps which are using Windows authentication.  We are currently working on the documentation for this scenario which should be posted to docs.microsoft.com shortly.   In principle, creating an account in a AD domain corresponding to a user in Azure AD, including a guest user, would enable the app proxy to match the user coming in from Azure AD and use KCD for impersonation and permit that user to then access Windows integrated authentication, however there are a number of account lifecycle subtleties here.  So even if you see the app proxy is able to permit the communication flow, I'd suggest waiting for the documentation as there are a number of deloyment considerations and best practices to look at (e.g., what container to put the users in, when to deprovision the user from AD, how to avoid RID exhaustion and end user confusion about "All authenticated users" etc)  Feel free to reach out to us if you have additional questions.  Thanks, Mark  

View solution in original post