How to Choose an Azure AD Solution for Deploying Apps

       

Azure Active Directory is an Identity and application management platform that provides a variety of methods for publishing apps for either internal end user or external customer access. The applications deployed the applications deployed via Azure AD can be an On-premises web app, a third-party SaaS application or your own custom developed application.

This Blog post is not a “how to article” with detailed instructions on configuring apps in Azure AD; please checkout Microsoft’s docs for that information. However, I will be discussing the benefits of using Azure AD for publish apps to achieve Single Sign-on (SSO), the options available in Azure AD and how to choose the appropriate solution.

Why use Azure AD for App Deployment
With Azure AD operating as the Identity control plane that connects your On-prem environment with the Cloud, here are some of the benefits of using Azure AD for app deployment.

  • First, Azure AD provides features that allow you to secure access and manage risks to your apps.  For example, you can leverage Conditional Access policies that require MFA whenever an app is being accessed from a non-trusted location.
  • Apps deployed via Azure AD can use modern authentication and authorization protocols such as SAML, OpenID Connect and OAuth, which provide more secure methods of accessing resources.
  • A third benefit is the ability to enable Single Sign-on (SSO) for Azure AD integrated apps. This is another risk reduction feature that eliminates the need for end users to manage multiple passwords for various applications. This also provides a greater experience for end users.
  • Finally, if you have a Premium 2 license for Azure AD, Access reviews and Entitlement management are available to govern access to your apps. Access Reviews are tasks that are scheduled to periodically review your apps and make sure the right people have access to them. Entitlement management allows you to manage identities and access at scale. These are packages of Azure AD resources (apps, O365 groups, Azure AD groups) that internal and external users to your organization can request. Package assignment can be automated and set to expire.

This is only a small sample of the benefits that come with Azure AD app deployment, but there are plenty of others.

Prerequisites for Azure AD App Deployment
Before deploying any apps in Azure AD using the methods outlined below, you will need the following:

  • an Azure AD tenant but for App proxy an AD premium subscription
  • a hybrid connection to On-premises AD with identities synchronized to Azure AD.  This is necessary for Azure AD to pre-authenticate users to deployed apps.

Options for Deploying Apps in Azure AD
Scenario 1. Azure AD App Proxy
Let’s say you have an application that resides On-premises but moving it to the Cloud is not an option for compliance reasons. However, your goal is to make the application accessible for external clients without using legacy methods that involve opening firewall ports and managing DMZ based infrastructure. Here’s where Azure AD App Proxy comes to the rescue. Personally, I have used App proxy as a way to give external customers access to an On-premises SharePoint environment. But keep in mind, this solution is not typically for internal users.

These are the components that make up the App Proxy solution and how they work together:
1. HTTP(S) Endpoint – This is the URL that external users will go to for access to an On-Prem app
2. Azure AD App – the app object in Azure AD that contains the URL for external  and connects to the backend app via the App proxy connector
3. Azure AD – servers as the identity provider and performs pre-authentication when external users login via the the Endpoint URL.  After pre-authentication is complete, it issues a sign-on token containing the user’s UPN and SPN.
4. App Proxy service – resides in Azure AD and passes the information it receives from Azure AD to the App Proxy connector
5. App Proxy connector – an agent that resides on a local network server. It contacts Azure AD on behalf of the user to perform Kerberos Constrained Delegation (KCD) and receive a Kerberos token.
6. On-Premises AD – performs authentication before the request is sent to the backend application
7. On-Premises App – backend app such as SharePoint. It provides access to the user after receiving the Kerberos token from the App Proxy connector.

If you are planning to use this solution for SSO, be sure to enable Integrated Windows Authentication (IWA) on the app in Azure AD. Otherwise, users will get prompted to enter credentials a 2nd time by On-Prem AD. Checkout the link on App Proxy at the end of this article for details on how it works and to configure it.

Scenario 2. Azure AD Gallery Application
For this scenario, assume that your organization uses a SaaS application such as Salesforce and the goal is to provide SSO access to the application utilizing SAML authentication. Azure AD contains a large number of Third party apps like Salesforce that have been integrated into its gallery. Examples of apps that I have used this for are Zoom, Box and Ceridian Dayforce. To begin configuring a gallery app in the Azure portal, go to Azure Active Directory > Enterprise Applications > New Application.

This will take you to the Azure AD gallery where you can search for the app you need and add it to create an instance of the application.  Once the app has been added and the SAML configuration is complete, you will need to configure the SSO settings in the service provider’s app.

How it works:
1. Service provider – Users will attempt to access the app by going to its login URL. A SAML 2.0 AuthnReuquest is generated and redirects the user to Azure AD. In order to link the Service provider application with Azure AD, you must provide it with the Federation Metadata, client ID and URLs from the Azure AD gallery app.
2. Identity provider – this is Azure AD.  It receives the SAML 2.0 AuthnReuquest and sends a SAML response to the Service provider app, which then grants access to the user.

Scenario 3. Azure AD App Registrations
Imagine you have an application that is not in the Azure AD gallery, needs to be configured for SSO access and OpenId Connect authentication. This situation will call for deploying the app via App registrations in Azure AD.  I’ve used this method for backend Desktop applications. To get started, in the Azure portal go to Azure Active Directory > App registrations > New registration. As seen below, during setup you will need to provide a name for the app, supported account type and a Redirect Uri. When you’re done, select Register.

Here are the main components involved in this process:
1. Resource server – contains the resource or app that users will navigate to for login. It will redirect the request for access to the Authorization server for authentication. You will configure it with the app (client) ID and the OAuth Endpoint from Azure AD app registrations.
2. Authorization server – this is actually the Azure AD OAuth endpoint retrieved from the Endpoint and is usually in this format: https://login.microsoftonline.com/<tenant ID>/oauth2/v2.0/authorize. It receives the request for access and issues an id_token.
3. Authorization server – the OAuth Endpoint in Azure AD. It will issue an id_token containing the user’s ID after receiving a request for access.
4. OAuth client – the app instance that is created in Azure AD app registrations. It contains the Redirect Uri or base URL for your local app and is where the user is sent to access the resource app after successfully authenticating.

As you can see there are a number of benefits to using Azure AD for deploying apps. Before deciding how to deploy an app with Azure AD, it’s important to know what authentication protocols will be used, the app type, where the app resides and who needs to access it.

If you want to learn more, check out the following Microsoft docs:
Application management with Azure Active Directory
How and why applications are added to Azure AD
Integrating Azure AD with applications getting started guide
Add a non-gallery app to Azure AD
Remote Access to On-Prem App via Azure AD App Proxy
Azure AD App Registrations

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s