Writing rich client applications that can access Azure AD App Proxy published applications

Hi folks,

In this post, I wanted to draw attention to a feature that we'd released and documented some time back, but hadn't really covered in this blog. I often talk about how the application proxy enables bringing 'new age' value (like MFA, conditional access controls and security reporting) to legacy applications--a super compelling value proposition. This feature that I cover below is about enabling 'new age' clients to talk to legacy applications.

Azure AD Application Proxy is widely used to publish browser applications such as SharePoint, Outlook Web Access, and custom line of business applications. Now it is also possible to use it to publish HTTP backend services that are consumed by non-browser applications.

There is a growing demand in organizations to create mobile applications on various platforms that target backend services that for a variety of reasons need to exist on-premises. Now you can do that with the rich application support we've released.

The Azure AD app proxy now supports pre-authentication using Azure AD bearer tokens that rich client applications can obtain and pass in standard HTTP Authorize headers. The recommended method to do this is for these client applications to use the Azure AD Authentication Library (or ADAL for short). ADAL takes care of all the authentication flows and is supported on a variety of different client environments. Learn more about it here.

All the details of how to point these rich client applications at published apps are available here. Every pre-authenticated proxy app can be accessed this way. No need to make any configuration change.

One of the big advantages of App Proxy is that if your backend service uses Kerberos, then Application Proxy can convert the Azure AD token to a Kerberos ticket. As a result, your legacy backend systems can be easily published without changing their authentication mechanisms. However, you can still have 'new age' rich clients integrate with our modern authentication system and get SSO all the way to the backend.

Here is the overall flow:


Go ahead, give it a try! And let us know if u have any feedback. I’d also love to hear the types of apps you’re integrating through this paradigm—so feel free to leave a comment in that regard. And as always, if you have any feedback/questions feel free to contact the team at: aadapfeedback@microsoft.com.


Girish Chander


Comments (4)

  1. Marc Van der Sypt says:

    Is it possible to publish Windows Work Folders with the AD Application Proxy? If so, is there any guidance available for that?

    1. this is something we are exploring.

  2. Hemang says:

    We are trying to achieve something webapp authenticated with Azure AD. We have also set up SSRS server on VM in Azure and that VM is part of domain of Azure AD. Wanted that ssrs report rendered in web app but it dosent ask user for authentication and get authenticated with Azure AD token. but here Azure AD generates Open OAuth token and SSRS server implemented window intergrated authentication which requires Kerbereos or NTLM token. So not getting authentication happens.
    Appreciate your help.

Skip to main content