locked
Azure AD SSO for internal applications access RRS feed

  • Question

  • I want to use Azure AD SSO to grant SSO access to internal applications but access from internal corporate users not remotely. I understand Application proxy can be used to grant remote access to internal applications with SSO but i read that it is not recommended to use application proxy for internal access. What is the best solution to use Azure SSO if i want to grant internal users internal access to on -premise applications with SSO (examples would be password-based on saml applications that are accessed only by users from the corporate network)

    thank you


    MM

    Tuesday, June 18, 2019 9:14 AM

Answers

  • however, I am not sure i got it for password hash synchronization, this would not give me SSO. 

          
    Indeed, to get Single Sign-on functionality with Password Hash Synchronization (PHS), combine it with the Seamless Single Sign-on (3SO) feature.
                

    we were able to achieve this for external users using Azure AD SSO and application proxy but how to support the internal users?

             
    In your envisioned implementation, you will treat internal users and external users the same. The popular saying within Microsoft to describe this is the 'identity is the perimeter, not the firewall'. Simply provide the same urls to internal users as you would to the external users. (You can have vanity urls for Azure AD App proxied apps) This will redirect them to Azure AD authentication, that you want happening. 

    this is what i wanted to make sure that i can provide my internal users with external urls and they would be proxied from outside. so it works! 

    thank you


    MM

    • Marked as answer by KhouM Friday, June 28, 2019 5:23 PM
    Friday, June 21, 2019 3:32 PM

All replies

  • I understand Application proxy can be used to grant remote access to internal applications with SSO but i read that it is not recommended to use application proxy for internal access.

                      
    The challenge with Azure AD authentication to internal applications, services and systems is a dependency on Internet access to access these resources, even when accessing these resources from the internal network. Typically, we see organizations choose between:

    • Implement multiple Internet connections and failover mechanisms between these connections to minimize the likelihood of getting in a situation of not having organization-managed Internet access.
    • Switch their user base over to using 3G/4G/5G connections temporarily when the organization's Internet connection is unavailable. (only applicable to organizations not using AD FS or PTA as their authentication method)

                                           

    What is the best solution to use Azure SSO if i want to grant internal users internal access to on -premise applications with SSO (examples would be password-based on saml applications that are accessed only by users from the corporate network)

                          
    The best way to achieve this is to tackle the Internet connectivity challenge first. Password Hash Synchronization (PHS) might be the best fit as the authentication method when you have connected your on-premises Active Directory to Azure AD. Create a break-glass approach for privileged access and implement it.

    In Conditional Access define named locations for the external IP address(es) of your organization and define access to the applications only from these addresses. In the event of a total loss of Internet connectivity, make the decision to remove the location condition (and allow access from everywhere not just the corporate location) or not, based on business needs or urgency.

    The beauty of Conditional Access is that when the organization's needs change, you can apply new sets of conditions, like require multi-factor authentication, read-only access to SharePoint sites when abroad or access only from domain-joined devices.

    Wednesday, June 19, 2019 5:35 AM
  • thank you for y our answer. 

    there is no big concern about internet connectivity since there is a backup connection and already a lot of services are on the cloud. 

    however, I am not sure i got it for password hash synchronization, this would not give me SSO. The purpose is that whatever on-premise web application an internal user opens, he is not prompted to authenticate even if the application is not AD integrated. we were able to achieve this for external users using Azure AD SSO and application proxy but how to support the internal users?


    MM

    Wednesday, June 19, 2019 6:51 AM
  • however, I am not sure i got it for password hash synchronization, this would not give me SSO. 

          
    Indeed, to get Single Sign-on functionality with Password Hash Synchronization (PHS), combine it with the Seamless Single Sign-on (3SO) feature.
                

    we were able to achieve this for external users using Azure AD SSO and application proxy but how to support the internal users?

             
    In your envisioned implementation, you will treat internal users and external users the same. The popular saying within Microsoft to describe this is the 'identity is the perimeter, not the firewall'. Simply provide the same urls to internal users as you would to the external users. (You can have vanity urls for Azure AD App proxied apps) This will redirect them to Azure AD authentication, that you want happening. 

    Thursday, June 20, 2019 10:56 AM
  • however, I am not sure i got it for password hash synchronization, this would not give me SSO. 

          
    Indeed, to get Single Sign-on functionality with Password Hash Synchronization (PHS), combine it with the Seamless Single Sign-on (3SO) feature.
                

    we were able to achieve this for external users using Azure AD SSO and application proxy but how to support the internal users?

             
    In your envisioned implementation, you will treat internal users and external users the same. The popular saying within Microsoft to describe this is the 'identity is the perimeter, not the firewall'. Simply provide the same urls to internal users as you would to the external users. (You can have vanity urls for Azure AD App proxied apps) This will redirect them to Azure AD authentication, that you want happening. 

    this is what i wanted to make sure that i can provide my internal users with external urls and they would be proxied from outside. so it works! 

    thank you


    MM

    • Marked as answer by KhouM Friday, June 28, 2019 5:23 PM
    Friday, June 21, 2019 3:32 PM
  • I'm following up on this, please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions.

    Thanks!

    Thursday, June 27, 2019 9:22 PM
  • best solution use ADFS. you will have more flexible.
    Friday, June 28, 2019 11:47 AM
  • so i would use ADFS for internal and AAD for external? the problem with ADFS it will not support password-based sso!

    MM

    Friday, June 28, 2019 5:25 PM