One is accustomed to going to MyApps to see all their SaaS apps configured.

However, even non-SaaS apps, including internal web apps and APIs can be hosted on MyApps.

This magic happens by exposing internal apps via Azure App Proxy. There are two components – one part that is on AAD and the other is a connector (proxy) that sits on premises.

The On Premises Connector is able to not just relay requests, but perform additional authentication (in addition to the AAD user authentication). This may be in the form of username / password or Windows Integrated Auth (Kerberos) for internal apps.

The important thing to understand is that MyApps isn’t just for SaaS apps. Any internal app can be exposed via the AD Connector Proxy in this manner.

How does authentication to the app itself work?

This can be done with applications that support Kerberos Constrained Delegation (KCD) or SAML. It can also support password vaulting – storing an ID and password for an application securely in Azure.

Doesn’t exposing the app in this manner make it less secure?

Not so. This is because AAD applications automatically get abilities such as SSO, MFA and Conditional access (a powerful way to restrict access). These are automatically available to the AAD app without making any modifications to the original application itself.

Next Steps?




Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.