Azure AD App Proxy and MFA – Quick Demo

Most organisations have websites or intranets that are hosted on servers inside their corporate network.

Accessing these sites while mobile or working from home has traditionally used one of three approaches:

  • Establish a VPN connection to the corporate network.
  • Publish the website via some form of reverse proxy hosted in the DMZ
  • Access the website via an RDS/VDI session (often using one of the first two mechanisms)

Each of these approaches work, but have complexities or downsides:

  • VPN software may not work on mobile, home or BYO devices.
  • DMZ networks and reverse proxies are complex and costly if not already in place.
  • RDS/VDI requires infrastructure to establish and is a clumsy experience if all that is needed is a website.

Azure Active Directory Application Proxy provides an additional mechanism to allow internally hosted sites to be accessed externally without requiring VPNs, DMZs or RDS/VDI.

Testing App Proxy with MFA


  • An Azure AD instance with Basic or Premium features enabled or in trial mode.
  • An Azure MFA provider configured and linked to the AAD instance
  • The URL of an internal website
  • A small Windows 2012R2 virtual machine that can :
    • Access the internal website
    • Access the internet (outbound)
  1. Start the Classic Azure management portal, navigate to your Azure AD instance and select the Applications tab

  2. Select Add and pick Publish an application that will be accessible from outside your network

  1. Enter the relevant details for the website. Note the internal URL is one you would use on a machine inside your corporate network.

  2. Click OK
  3. The status page for the Azure AD Application will then be shown. Select Download a Connector

The connector should be downloaded and installed on the Windows 2012R2 VM

  1. Once the connector is installed and tested, select the Configure tab of the application in the classic Azure management portal.

  2. Scroll down to multi-factor authentication… and click ON

For the purposes of this demo, leave other settings unchanged.

  1. Click Save at the bottom of the screen
  2. Add user(s) to test with to the application – highlight the use and click Assign

  3. Copy the external URL from the configure tab :

    Note : In a production environment, you would typically use your own DNS suffix rather than the Azure provided one.

  4. Paste into a browser. You may need InPrivate/Incognito or similar if you are already logged into Azure AD with different credentials.

A logon screen similar to below should appear. The graphics/text on the left are due to customised branding on the AAD environment itseld

  1. Log in with the user that you enabled for the application – in this case

  2. We are now being notified that MFA is required

    If this is the first time the user has been required to use MFA, an enrolment process will be initiated.

  3. Once the MFA approval has gone through the website should be displayed.

Notes on this demo :

  • Screenshots and steps correct at Sep 9th 2016 – things change.
  • The internal website in this case did not require any explicit authentication itself – if it did additional steps would be required to pass credentials through.
Comments (1)
  1. Nick Hogarth says:

    Its also good on the Windows Server 2012 R2 box with the Connector installed to verify that it has the correct open ports by going to

Comments are closed.

Skip to main content