Today we are announcing General Availability (GA) of Azure Active Directory Application Proxy! This is a big step for the service and we have done many fixes and improvements under the hood to take it to a level of reliability, performance, security, and scale that is suitable for your business use. General Availability also means that we back this up with Service Level Agreement (SLA).
We have seen amazing interest in the service during the preview months. Several thousands of tenants activated the preview and published applications. They generated more than a million HTTP transactions. We want to thank all of them. It allowed us to tune it and to get it to where we are today.
And not only are we announcing the General Availability of the service, but we are also adding new capabilities that will enable you to publish almost any on-prem application, will also improve your admin experience, and will increase the value of the service. Below we name some of these capabilities.
Single sign-on to backend applications using Kerberos Constrained Delegation (KCD)
Application Proxy can already preauthenticate users before they are granted access to the on-prem application. With the new capability it will also be able to authenticate users to the backend application, so no additional sign-ins are required from them. This allows a smooth and seamless access experience to on prem Integrated Windows Authentication (IWA) applications – users only need to enter their credentials on the cloud and they will be able to access all these on-prem applications without having to sign-on again to each one of them.
Admins can now add their on-prem SharePoint, Outlook Web Access, or any other Web application that supports Integrated Windows Authentication, to Azure Active Directory without changing them. There is no need to install anything on the applications servers. Just enable Kerberos Constrained Delegation (KCD) on the connector machine and you’re done.
Behind the scenes, the connector is using the Kerberos delegation capabilities to impersonate as the end-user toward the application. From the application point of view, this is just a regular user. The complexity is invisible for the applications and for the end-users that can use whatever device they want and still have single sign-on to these applications.
In the current release, the proxy assumes that the same user identity (UPN) exist both on-prem and on Azure Active Directory. In future releases we are going to address more complicated configurations.
Connectors are auto-update from the cloud
The first step to enable the application proxy is to install its connectors on machines that are connected to the corporate network. We view these connector not as a traditional box product but as an extensions of the cloud service that operates like a cloud service. The connectors are already stateless and pulling all their configuration and settings from the cloud service. We want to take this one step further by removing the need to update these connectors manually. The new Application Proxy connectors will constantly check to see if there is a new version and will apply the update gracefully with minimal down-time. If you are running more than one connector, the service will not be interrupted. In the future, the service will give you more control on the update policy and more visibility on the status of your connectors.
This is just the first step in a long journey we are taking to get to a zero on-prem maintenance for the connectors. Our long term goal is that once installed, you would never have to log into these machines. We will give you all the tools to control them from the cloud.
As a result of this change, we ask our existing customers to uninstall their existing connectors and to install the new connector version. The preview connectors (versions before 1.2) will stop working soon. This would be the last time you manually have to do this, from now on, we will update it automatically.
Enable Application Proxy for Azure Active Directory Basic users
Right now the Application Proxy service is available only for Azure Active Directory Premium users and administrators. Starting in the coming weeks we will gradually enable the service also for Azure Active Directory Basic users. We are doing this to enable companies to provide access to their on-prem applications to more and more users removing the need to have additional reverse proxy solution.
We don’t stop here! Our team works full steam ahead on improving the service and adding more capabilities to make sure you can move your remote access to Azure Active Directory. We are going to carefully examine the service usage patterns to understand what you are trying to do and what is blocking you. We are already working on bunch of new capabilities that would be delivered in the near future. Here are some of them:
Custom domains: publish applications with your own domain and SSL certificate so you can have external address like app1.contoso.com and not only app1-contoso.msappproxy.net.
Path filtering: publish only part of the server using path. For example, allow access to sp.contoso.com/site1 and not to any other paths on the server.
Office clients integration: Improved experience when triggering Word, PowerPoint and Excel from a Web page or a link.
Connector management and monitoring from the cloud to put the admins in control.
We are going to have additional posts on these new features soon. As usual, we are always happy to hear your feedback. Send us an email to aadapfeedback@microsoft.com.
Meir Mendelovich and the application proxies team