Azure AD (Active Directory) Application Proxy Explained for Businesses
As more and more companies are hacked, cyber insurance requirements grow stricter. Your insurance provider is probably pushing you to get a web proxy, but you don’t know exactly what it is or how to get it.
Enter Azure AD (Active Directory) Application Proxy – a Microsoft Azure AD product designed for precisely this situation.
But before getting Azure’s Application Proxy, you have to answer the following questions:
- What is Azure Active Directory (AD)?
- What is Azure AD Application Proxy?
- What are the uses of Azure AD Application Proxy?
- What businesses need Azure AD Application Proxy?
- How do you get Azure AD Application Proxy?
These are the questions our clients at ITS ask us before getting Azure; they’re also the questions we’ll answer for you. By the end of this article, you’ll have the ability to decide if Azure Application Proxy is the right choice for your business.
What is Azure Active Directory (AD)?
Microsoft has a lot – and we mean a lot – of products. So, in the miasma of everything Microsoft offers, what does Azure Active Directory (AD) do?
We hit up Kyle Ramirez, a Technical Sales Engineer at ITS San Francisco, to walk us through everything you need to know about Azure AD and Azure AD Application proxy.
Ramirez said, “Azure Active Directory (AD) is an identity provider or IDP. An identity provider is where you keep all of your usernames and their passwords.”
“An IDP,” he explained, “[...] also may have groups [of these users] with a few different security services.”
Microsoft expanded Azure AD to integrate seamlessly into tech environments. It also has multiple sub-services such as Azure AD Connect Health, Azure AD External Identities, Azure AD Password Protection, and – what we’ll take a closer look at in this article – Azure AD Application Proxy.
Read “What is Active Directory, and Why is it Important?”
What is Azure AD Application Proxy?
In the words of Microsoft:
“Azure Active Directory’s Application Proxy provides secure remote access to on-premises web applications.”
Ramirez further clarified that Azure AD’s Application Proxy is like a front door that hides where your actual front door is.
“This is like a security service,” he said. “You’re proxying your connections through Microsoft so people can’t easily detect where your web services are held.”
What are the uses of Azure AD Application Proxy?
Microsoft does its best to have each product do one thing but do it well. It’s the same case with the Azure AD Application proxy. It has one primary use.
“You would use this to hide your web server,” Ramirez said. “Maybe you’re running a web server on-premise, and you don’t want to expose your firewall.”
Instead of setting up a web server the traditional way – opening up ports 80 and 443 to the world and then creating some DNS records that point your hostname directly back to your on-premise environment – you can only expose your webserver to Microsoft.
He continued, “So there’s a little agent that will help make that connection [between the user and your web server]. From there, anybody that’s going to your public hostname for your business website will hit Microsoft’s relay. That’s what they will see. But you’re only sending your information to Microsoft.”
“It’s a layer of defense.”
What businesses need Azure AD Application Proxy?
Do all businesses need Azure AD Application Proxy? According to Ramirez, the answer is no – not really.
Get Azure AD Application Proxy if you:
- Have on-premise web applications (i.e. RDS, internal website)
- Need to give access to web applications for remote users
Ramirez explained a common situation for businesses that need AD Application Proxy.
“Maybe you host a website for internal use, and you’re trying to make it available remotely,” he said. “In the past, we’ve had clients that had internal web servers, and since they were just serving them on the LAN, they didn’t need to provide a ton of protection.”
But then, in 2020, the COVID-19 pandemic happened. Suddenly, everyone scrambled to get work done remotely – but securely.
“With remote work,” he pointed out, “those applications are still on-premise, but you now have remote workers. An immediate solution is opening up the firewall to allow this traffic. But that’s a door that you don’t always want open.”
“So the alternative is using the Azure AD Application Proxy. You can keep the door on your firewall closed to the world. It’s open only to Microsoft; the world will hit Microsoft before your web application.”
Source: “Remote access to on-premises applications through Azure AD Application Proxy.”
How do you get Azure AD Application Proxy?
You get Azure AD Application Proxy when you get Azure Active Directory.
Unlike Azure AD, there’s only one version of the AD Application Proxy. It’s bundled with the Azure AD Premium P1 and P2 plans.
There are two ways to get Azure AD Premium P1 and P2 plans:
- Purchase it directly from Microsoft
- Purchase it from a Microsoft Partner
However, it’s not a good idea to get Azure AD Premium by itself. Ramirez explained that nobody would go and buy only Azure Active Directory.
Azure AD is helpful because of its integration with the Microsoft digital ecosystem. Buying it alone cripples the program.
“The biggest benefit of Azure Active Directory is how extensible it is,” Ramirez said. (Extensibility is the program’s ability to connect different products and services to your identity provider.)
He continued, “If you are going to run any sort of Windows computing environment, it’s best to stick with Microsoft because of how easily it integrates.”
So when getting Azure AD, a better – and more common way – is buying a Microsoft 365 plan that automatically has Azure AD Premium.
Need Azure AD Application Proxy?
Maybe you’re still unsure if Azure AD Application Proxy is worth implementing in your business. Remember:
- Azure AD Application Proxy serves as an extra door between your on-premise web servers and remote users.
- It blocks off-site users from directly accessing your server firewall.
- It’s useful for business owners with on-premise web apps accessed by remote users.
- Azure AD Application Proxy is bundled with Azure Premium P1 and P2 plans.
But that’s the catch. Azure AD Application Proxy is bundled with Microsoft’s other plans, and now you’re faced with choosing the best Microsoft plan for you.
You’re not alone in that struggle. At ITS, we’ve had to help multiple clients, so they get their money’s worth out of the plan they purchase. That way, no money is wasted on features they don’t need.
Before committing to Azure AD Application Proxy, you’ll need to do more research about the other security products its best bundled with. One of these products is Microsoft Defender. Read “What is Microsoft Defender for Office 365? (A Beginner’s Guide)” to get started.