Azure AD App Proxy value through the eyes of an EMS Blackbelt

Hello folks,

In this forum, you typically hear from us in the product team as we cover different aspects of Azure AD App proxy value and feature set. For today’s post I thought it would be good for you folks to hear about the App proxy as seen through the eyes of someone outside of the product team.

Wes Kroesbergen is an EMS (Enterprise Mobility Suite) Blackbelt. His job entails working with customers to help them understand and adopt different features across our Enterprise Mobility Suite offering. I met Wes recently on a trip to Toronto where we were meeting customers together. And while there Wes couldn’t stop talking about how excited he was about the App proxy. So I decided to have him put together a guest blog post here, so you could hear from him directly.


Girish Chander.



Increasing Security Posture and Operational Efficiency with Azure AD App Proxy


Hello! As part of the Americas EMS Blackbelt team, I visit with many enterprise customers, helping our customers understand the immense value in our Enterprise Mobility Suite. One of the things I’ve observed is a lack of awareness around some of the powerful capabilities of our identity services, and how our cloud-first development is also geared toward accruing value for on-premises applications. The Azure AD team has granted me the privilege today to guest post on one of the most untapped features of Azure AD: Azure AD App Proxy.

Azure AD App Proxy delivers three very key business values for organizations leveraging the Enterprise Mobility Suite:

  • Improve Security Posture
  • Improve Operational Efficiency
  • Reduce VPN Overhead

Let’s dig into each of these in more detail.

Improve Security Posture

Reduce Ingress Points

Azure AD App Proxy enables customers to begin paring down the services they expose through their on-premises perimeter. App Proxy works by setting up an outbound connection to Azure datacenters, with no inbound ports required on the perimeter. Azure’s datacenters then act as the proxy front-end, transparently mitigating attacks like Denial of Service against the endpoint. Authenticated, authorized users are proxied back through the established connection with your network, and seamlessly sign your users into their applications via secure Kerberos delegation. Below is a high-level diagram describing how this feature works.


Mitigate Out of Date Appliances

Updating firewall appliance firmware can be disruptive. Unfortunately, it is also necessary as attackers leverage known vulnerabilities with ever increasing speed. By shifting the ingress point to Azure’s datacenter, the risks of compromise via out-of-date firmware on a current or deprecated firewall appliance is reduced.

Protect Identities with Machine Learning

We recently introduced Azure AD Identity Protection in public preview. Identity Protection combines machine-Learning driven security intelligence with data feeds from Microsoft’s Digital Crimes Unit and Microsoft Security Response Center to proactively identify compromised accounts and offers real-time protection from risky sign-ins.

With Azure AD App Proxy, we are able to extend the powerful protection that comes with Azure AD Identity Protection to even a 15-year old legacy application sitting on-premises and created well before the cloud-first, mobile-first world was on the horizon! Wow, just imagine!

Below is a sample screenshot of Identity Protection.


Remove Password Exposure with Windows 10

With Windows 10, we introduced Microsoft Passport, an incredibly powerful, password-less authentication method for Azure AD Joined machines. When Windows 10 is joined to Azure AD via strong authentication (MFA), a secure key pair is generated, with the private key being stuffed into the TPM chip, and the public key is registered with Azure AD. When the user authenticates to an Azure AD resource like an App Proxy app, the private key from the TPM chip is used to authenticate the user to Azure AD. The powerful combination of Microsoft Passport and Azure AD App Proxy delivers incredible, anywhere access to on-premises resources without the overhead of a traditional VPN or DirectAccess infrastructure.


Improve Operational Efficiency

Increase Agility

One of the things I’ve noticed as I work with customers is the timelines for exposing services through the perimeter. Rigorous change controls often drag timelines out to multiple weeks. One organization I talked to said it takes up to 6 weeks to get network changes made! Once Azure AD App Proxy is in place, access to resources becomes just a part of the Identity and Access Management tasks, without the overhead of network infrastructure.

Achieve High Availability Easily

Exposing services in a highly-resilient fashion through the perimeter is often expensive and complicated. Achieving resiliency with App Proxy is as simple as installing the connector on another on-premises server! Each connector sets up its own out-bound tunnel to the Azure datacenters, and the App Proxy service takes care of all the complexities distributing traffic as it flows back to access the on-premises applications!

Reduce VPN Overhead

Improve Mobile Experiences

VPN over mobile networks is often unreliable. VPN protocols generally involve some level of overhead to keep the tunnel alive, and on bandwidth constrained mobile connections, or devices in a poor coverage range, the VPN tunnels are often unreliable. Leveraging App Proxy can enable better application experiences, due to the removal of VPN tunnel overhead.


Azure AD App Proxy is an incredibly powerful business enabler. App Proxy can enable your business to improve its security posture, improve operational efficiency, and reduce VPN overhead. Every customer I’ve talked to about this feature is immediately excited and eager to try it out. I encourage you to investigate leveraging this powerful capability within your environment.

Comments (3)

  1. Nick Hogarth says:

    Great post. Thanks. Can you use the AD app proxy for IaaS machines in Azure? It would be good to use the Azure AD authentication for some legacy web apps on VM’s hosted in Azure.

    1. In terms of publishing these apps via AAD-AP, then yes absolutely, as you’d simply install a proxy connector somewhere in the IaaS VNet that the VMs belong to, or a connector on each individual VM, if necessary. Might be worth raising a case through the normal support channel and we’ll be more than happy to guide you and discuss all possible options. Thanks

  2. Simon Cheng says:

    Great post!
    This helps with convincing our teams why this is an important toolset.
    We had issues using it before with some legacy on premise web applications, hopefully with the new versions some of these annoyances has been remediated.

Skip to main content