New Azure AD Application Proxy features are now available

Since the service became generally available in December we got an overwhelming feedback from customers and partners. We are very happy to see real traffic from the first customers and are working on improving the service and implementing some of your suggestions.

In the last few days several changes have been rolled out:


Improved SharePoint & Office experience with MSO-FBA

Microsoft Office Form Based Authentication (MSO-FBA) is an authentication protocol that allows Office clients such as Word, PowerPoint and Excel to authenticate to SharePoint servers. We have made several changes in Application Proxy to support MSO-FBA to improve the experience.

The relevant scenarios include opening  a document using Office client applications from within SharePoint Web pages and opening documents stored in SharePoint directly from Office clients, without Web interaction, e.g. opening documents from the “most recently used” list.


Allow to disable host translation

We have added a new application configuration option to disable host translation in request and response HTTP headers:

By default, Application Proxy connectors are replacing the hostname in the request headers that are sent by the client device to the hostname of the backend server:

When this translation is disabled, the original hostname will be sent to the backend applications instead of the one that correspond to the backend application hostname:

Similar process also happens in the HTTP response headers.

In some scenarios, it is useful to have the original host header to differentiate between an internal traffic and traffic coming from Application Proxy. This is the case with some SharePoint Alternate Access Mapping (AAM) configurations.

We found out that many customers were replacing their Forefront UAG and Forefront TMG with Azure AD Application Proxy. These products had this option turned on by default and therefore, many backend applications in such organizations accepted this type of requests. By adding this control to Azure AD Application Proxy we allow these organization to upgrade without making any change to backend applications. We are happy to provide smoother installation and UAG/TMG migration enablement options and looking for more cases like that.


License adjustments

As we promised, we have enabled Application Proxy also for users that have the Azure Active Directory Basic license.

Application Proxy license requirements for end users are enforced in two places:

  1. In the Access Panel - only users with appropriate license will see tiles for proxy applications

  2. When Application Proxy is pre-authenticating a user for a proxy application, it is verifying that she has appropriate license.

This is validation is on top of the regular authorization rules such as users assignment to application or access rules.

As part of this process we made our licensing enforcement more robust and revised some of the error messages so they would be more meaningful and provide accurate information for the end users and IT admin.


Under the hood

All of the above changes have a clear impact on the end-user and admin experiences. At the same time, we are also making lots of changes under the hood to assure the service is working properly, at scale, and adhere to the topmost security standards. We constantly measure the service performance and try to find ways to improve it.

One such change is starting to use Azure Service Bus Relay to establish connectivity between the connectors and the Service. This slightly change the networking patter since the connector now uses for outbound traffic also port 9352 to the Azure data center. Ports 20200-20210 that are currently used will be deprecated over time. Customers doesn't need to update their connectors as the connectors automatically update themselves.


As usual, we would be happy to hear your feedback and suggestions. Our inboxes are full with emails coming from this blog – and we LOVE that.

We have several big and highly desired features that we are currently working on and will be made public over the coming weeks. We will keep you posted via this blog and the AD team blog.


Comments (9)

  1. Anonymous says:

    Microsoft is the only vendor that offers both on-premises and cloud solutions for remote application

  2. Anonymous says:

    We have recently added two new highly requested capabilities to Application Proxy. This comes shortly

  3. Anonymous says:

    Microsoft is the only vendor that offers both on-premises and cloud solutions for remote application

  4. Anonymous says:

    Microsoft is the only vendor that offers both on-premises and cloud solutions for remote application

  5. Anonymous says:

    Microsoft is the only vendor that offers both on-premises and cloud solutions for remote application

  6. remi9 online says:

    You can certainly see your skills in the work you write.
    The world hopes for even more passionate writers such as you who aren’t afraid to say
    how they believe. At all times follow your heart.

  7. Thanks for your personal marvelous posting! I seriously
    enjoyed reading it, you can be a great author.I will make sure to bookmark your blog and
    will eventually come back from now on. I want to encourage that you continue your great job, have a nice

  8. Hurrah, that’s what I was searching for, what a stuff!
    existing here at this webpage, thanks admin of this site.

  9. Good info. Lucky me I came across your site by accident (stumbleupon).
    I have bookmarked it for later!

Skip to main content