Securing API Access beyond Intranet with Azure AD Application Proxy


Many of you have said that you have business logic/API either running on premise or somewhere hosted in Virtual Machines across the cloud. These native apps often run on iOS/Android/MAC/Windows and need to interact with the API endpoints to make use of the data or provide a way of user interaction. This is a scenario that is also supported with Azure AD Application Proxy. As with other solutions supported with the Application Proxy, this lets you move from scenarios where you would need to open firewall ports and control authentication and authorization at the app layer (Figure 1 below) to a faster and more secure solution which also allows additional security through Azure AD premium features like Multifactor Authentication, Device Based Conditional Access for Desktops, iOS/MAC and Android devices using Intune (Figure 2 below).

 

Api Figure1

Figure 1: A typical way to publish you on premise resources.

 

Api Figure2

Figure 2: Securely Publish your APIs using the Azure AD App Proxy without requiring any incoming ports.

The Overall Solution

The Azure Ad Application Proxy forms the core backbone of the entire solution working as public endpoint for API access, providing Authentication and Authorization. You could access all your API’s from a vast array of platform using the ADAL Libraries. To give an overview of this solution, I'll walk through a demo.

For the Demo lets assume we are hosting an API service on premise.

Api Figure 3

Sample Rest Response

Api Figure4

Publish the API using the App Proxy

Let’s drill into how you can publish this API. It is follows the same pattern as publishing web applications.

Step 1: Ensure the Pre-Authentication is set to Azure Active Directory.

Api Figure5

Step 2: Hide the application from end users

Since this is an API you do not want this to be available in the MyApps Panel to your end users, set the "Visible to users?" option to "No".

Api Figure6

Step 3: Configuring the Authorization, select users and group who can access this application.

As with any other application, you will need to assign users to the application.

Api Figure7

With the above three steps you should have your API published outside of the intranet through the Application Proxy.

Note: There might be additional steps required if your API is protected with Windows Integrated Auth

Configuring Native App Registration and Granting Access

Native applications are program developed for use on a particular platform or device. Before the App can connect and access the API you would need to registger App in Azure. For the next step will walk you through the to register App and configure access to the API published above.

More details can be found here

Step 1: Native App Registration: Create a new App Registration

Api Figure10

Step 2: Grant Access to the API published (in the previous step)  via Application Proxy 

Api Figure 11

Api Figure 12

 

Configuring the Native Application Parameters

Last step is to identify and configure the Native Application.

Step 1: Click on App Registrations  

Api Figure 8

Step 2: Drill into the application you just created and capture the App ID URI

Api Figure 9

The Native App uses the header to attach the bearer token for the request for making call to the API.The below snippet uses the ADAL Library to aquire token and attach it as Bearer to the Header. A sample web app and Native App can be found here

Api Figure14

The App configuration requires you to supply in the values from the above screen-shots.

Api Figure 13

Once the parameters are configured, you can try the application and confirm that the Native App was successfully able to access the API hosted on-premises.

AppExperience

 

Conclusion

Now we can have Native Apps that are IOS/Android/MAC/Windows  able to utilize the ADAL (Azure Active Directory Authentication Libraries) and Azure AD Application proxy to be able to securely access the APIs hosted on premise. Since Azure AD App Proxy  Authentication and Authorization is built on top of Azure AD, you can  also leverage the Azure AD Conditional access to ensure the API access can only work on trusted devices such as Azure AD join or Azure AD Hybrid Joined for the Desktops and Intune Managed for the IOS/MAC and Android device along with a choice to ensure Azure Multifactor Authentication along with  the security backed by machine learning of the  Azure Identity Protection.

 

Best,

Jeevan Bisht

Program Manager - GTP


Comments (0)

Skip to main content