1 00:00:00,740 --> 00:00:05,160 Now by contrast, Azure AD Application Proxy does the same thing. 2 00:00:05,160 --> 00:00:08,730 It provides remote access to on‑premises web applications, 3 00:00:08,730 --> 00:00:13,380 but there is no dependency on Active Directory Federation Services, 4 00:00:13,380 --> 00:00:14,580 or ADFS. 5 00:00:14,580 --> 00:00:18,620 The Azure AD Application Proxy runs in the cloud, 6 00:00:18,620 --> 00:00:21,640 it's part of Azure and part of your Azure AD tenant, 7 00:00:21,640 --> 00:00:26,000 and then you install a connector agent that runs on your on‑premises server, 8 00:00:26,000 --> 00:00:30,630 and we don't have any dependencies on a VPN or an ExpressRoute, 9 00:00:30,630 --> 00:00:35,080 in fact, that's one of the value propositions of Azure AD Application Proxy. 10 00:00:35,080 --> 00:00:38,540 You can replace the cost and overhead of a VPN, 11 00:00:38,540 --> 00:00:39,460 and frankly, 12 00:00:39,460 --> 00:00:43,330 the cost and overhead of using Web Application Proxy with 13 00:00:43,330 --> 00:00:47,480 Windows Server because let's face it, if you've ever set up an ADFS farm, 14 00:00:47,480 --> 00:00:51,000 it's quite a bit of infrastructure, even if you're using virtual machines, 15 00:00:51,000 --> 00:00:55,500 and then there is all of the PKI stuff that you need to do with certificates. 16 00:00:55,500 --> 00:00:59,270 Azure AD does the same thing, but it's so much cleaner. 17 00:00:59,270 --> 00:01:01,740 I'm going to show you this in a demo so you'll see it. 18 00:01:01,740 --> 00:01:01,860 Now, 19 00:01:01,860 --> 00:01:04,800 the concept of pre‑authentication is relevant both 20 00:01:04,800 --> 00:01:10,280 to Azure AD Application Proxy, as well as Windows Server Web Application Proxy. 21 00:01:10,280 --> 00:01:15,270 With this, the idea is let's say you've got an on‑premises API server, 22 00:01:15,270 --> 00:01:18,370 and you need to support connections from over the internet. 23 00:01:18,370 --> 00:01:21,650 You're going to want to pre‑authenticate those connections, obviously. 24 00:01:21,650 --> 00:01:23,700 You're not going to do anonymous auth, are you? 25 00:01:23,700 --> 00:01:28,540 So you will use, by default, Azure AD for pre‑authentication. 26 00:01:28,540 --> 00:01:31,610 Notice I've put Azure AD Connect in parentheses. 27 00:01:31,610 --> 00:01:35,940 This is, in the real world, what you'll do to set up hybrid identity. 28 00:01:35,940 --> 00:01:41,320 So if you want your users to sign in to your local on‑premises apps 29 00:01:41,320 --> 00:01:44,340 from over the internet using familiar credentials, 30 00:01:44,340 --> 00:01:47,500 you would set up Azure AD Connect to replicate local 31 00:01:47,500 --> 00:01:50,140 Active Directory credentials into Azure AD, 32 00:01:50,140 --> 00:01:53,420 and then instruct the user to access the app when they're out 33 00:01:53,420 --> 00:01:55,660 on the internet using those credentials, 34 00:01:55,660 --> 00:01:59,070 that is using their local AD credentials that are not 35 00:01:59,070 --> 00:02:01,930 coincidentally synchronized into Azure AD. 36 00:02:01,930 --> 00:02:05,270 So Azure AD is providing the pre‑authentication, 37 00:02:05,270 --> 00:02:08,070 just like when you're using Web Application Proxy, 38 00:02:08,070 --> 00:02:10,730 ADFS is doing the pre‑authentication. 39 00:02:10,730 --> 00:02:15,280 Now, you can do a passthrough with both Azure AD Application Proxy, 40 00:02:15,280 --> 00:02:18,190 as well as Windows Server Web Application Proxy, 41 00:02:18,190 --> 00:02:21,200 and that's where there is no pre‑auth where the connection goes 42 00:02:21,200 --> 00:02:23,780 straight back to the backend application, 43 00:02:23,780 --> 00:02:28,460 and then it's up to you to implement authentication in the application itself. 44 00:02:28,460 --> 00:02:29,230 I've got to tell you, 45 00:02:29,230 --> 00:02:33,950 it's super convenient that Azure AD can layer in that pre‑authentication 46 00:02:33,950 --> 00:02:38,770 because it unlocks capabilities that you're already paying for like conditional 47 00:02:38,770 --> 00:02:42,430 access policies and Azure multi‑factor authentication, 48 00:02:42,430 --> 00:02:50,000 so you can really do lots of security layers when you're exposing internal apps like this to the internet.