1
00:00:00,840 --> 00:00:01,550
In this demonstration,

2
00:00:01,550 --> 00:00:06,500
we'll take a look at Azure AD Application Proxy and the Azure Relay Service,

3
00:00:06,500 --> 00:00:08,090
particularly hybrid connections.

4
00:00:08,090 --> 00:00:10,920
So starting with Azure AD Application Proxy,

5
00:00:10,920 --> 00:00:13,620
you're looking at the desktop of one of my local servers.

6
00:00:13,620 --> 00:00:16,390
It's a domain member server named localhyperv.

7
00:00:16,390 --> 00:00:18,520
I've installed IIS on this machine.

8
00:00:18,520 --> 00:00:20,860
Not worried about certificates in this example,

9
00:00:20,860 --> 00:00:25,040
as you're going to see that Azure can take over the TLS for you

10
00:00:25,040 --> 00:00:27,210
if you're willing to trust Microsoft cert.

11
00:00:27,210 --> 00:00:28,040
But notice here,

12
00:00:28,040 --> 00:00:32,340
it's just the standard Internet Information Services splash at localhost,

13
00:00:32,340 --> 00:00:36,630
and I just added some custom text here as a proof of concept to

14
00:00:36,630 --> 00:00:39,290
make sure that once we complete the configuration,

15
00:00:39,290 --> 00:00:42,160
we're able to load this page from over the internet.

16
00:00:42,160 --> 00:00:45,830
So the use case is you have an internal service or app,

17
00:00:45,830 --> 00:00:47,790
a web app or an API basically,

18
00:00:47,790 --> 00:00:50,930
that's got no direct connection to the internet itself,

19
00:00:50,930 --> 00:00:56,320
and we're going to use Azure AD Application Proxy to facilitate that connection.

20
00:00:56,320 --> 00:01:00,450
So, let's go over to the portal here and let's go into Azure Active Directory.

21
00:01:00,450 --> 00:01:04,210
Now note that you have to be running Azure AD Premium

22
00:01:04,210 --> 00:01:07,350
P1 or P2 to use this capability.

23
00:01:07,350 --> 00:01:10,920
Right here, you can see I'm licensed for P2, so I have everything.

24
00:01:10,920 --> 00:01:15,360
And that makes sense because, as I mentioned in the theory part of this lesson,

25
00:01:15,360 --> 00:01:19,440
one of the value propositions of Azure AD Application Proxy

26
00:01:19,440 --> 00:01:21,910
is the preauthentication with Azure AD.

27
00:01:21,910 --> 00:01:26,460
And you can optionally layer in things, or features or technologies,

28
00:01:26,460 --> 00:01:31,720
like Azure AD Identity Protection, Azure AD Conditional Access policies,

29
00:01:31,720 --> 00:01:33,910
and Azure MFA as well.

30
00:01:33,910 --> 00:01:38,370
And all of that's going to require Azure AD Premium licensing as well.

31
00:01:38,370 --> 00:01:40,560
So here we have what's called a connector.

32
00:01:40,560 --> 00:01:41,590
And as this says,

33
00:01:41,590 --> 00:01:45,020
a connector creates a secure communication channel

34
00:01:45,020 --> 00:01:47,230
between your on‑premises network and Azure.

35
00:01:47,230 --> 00:01:51,000
And I've got a localmem server that's got one of those created.

36
00:01:51,000 --> 00:01:53,810
And note that you can create multiple connectors for

37
00:01:53,810 --> 00:01:56,440
redundancy and put them into connector groups.

38
00:01:56,440 --> 00:01:59,320
So what we want to do here is download the connector

39
00:01:59,320 --> 00:02:02,170
service agent onto my local system here.

40
00:02:02,170 --> 00:02:04,890
I'm going to accept the terms and download that package,

41
00:02:04,890 --> 00:02:08,230
and we're going to run that installer in place because

42
00:02:08,230 --> 00:02:10,150
I'm already on the target server.

43
00:02:10,150 --> 00:02:13,930
This is the Azure Active Directory Application Proxy connector.

44
00:02:13,930 --> 00:02:15,750
I'm going to agree to the license terms,

45
00:02:15,750 --> 00:02:20,240
and we're just essentially doing a Next/Next/Finish type installation.

46
00:02:20,240 --> 00:02:20,630
All right,

47
00:02:20,630 --> 00:02:24,830
so we're signing in to our subscription with an administrative credential.

48
00:02:24,830 --> 00:02:26,950
All right, good deal. Setup successful.

49
00:02:26,950 --> 00:02:30,090
So now that we've got the agent installed on my machine,

50
00:02:30,090 --> 00:02:33,490
we can configure an app, so let's click Configure an app.

51
00:02:33,490 --> 00:02:39,250
The display name for our new application, I'm going to call this hyperv‑app.

52
00:02:39,250 --> 00:02:41,040
I know that's not very creative.

53
00:02:41,040 --> 00:02:44,750
Now the internal URL is how someone on the local area

54
00:02:44,750 --> 00:02:48,540
network would get to that resource, and this is really low tech,

55
00:02:48,540 --> 00:02:51,090
as you can see, http://localhost.

56
00:02:51,090 --> 00:02:53,270
Now I'd mentioned about the certificate issue.

57
00:02:53,270 --> 00:02:57,150
Notice here that the external URL is going to map under

58
00:02:57,150 --> 00:03:00,400
Microsoft's msappproxy.net domain.

59
00:03:00,400 --> 00:03:04,450
And I would imagine you could alias this or you could use a custom domain.

60
00:03:04,450 --> 00:03:06,820
I would suggest you look at the exercise files.

61
00:03:06,820 --> 00:03:09,510
I'm going to do the same thing after I finish this demo

62
00:03:09,510 --> 00:03:11,590
because if I was implementing this today,

63
00:03:11,590 --> 00:03:14,560
I would want to use a custom domain and make sure that I've

64
00:03:14,560 --> 00:03:17,490
got my certificate and an HTTPS binding.

65
00:03:17,490 --> 00:03:19,870
So it looks like it's going to be set up under

66
00:03:19,870 --> 00:03:24,390
https://hypervapp, let me get rid of that dash, ‑timwinfo,

67
00:03:24,390 --> 00:03:27,420
that's my tenant name, msappproxy.net.

68
00:03:27,420 --> 00:03:31,670
Let me put that on my other monitor so I have that URL easy.

69
00:03:31,670 --> 00:03:33,880
As far as preauthentication, like I said,

70
00:03:33,880 --> 00:03:37,620
the default is to authenticate all connections using Azure AD,

71
00:03:37,620 --> 00:03:40,340
but you could pass through directly to the app.

72
00:03:40,340 --> 00:03:41,430
That's less secure.

73
00:03:41,430 --> 00:03:42,870
I'm not going to choose that option.

74
00:03:42,870 --> 00:03:45,950
And our Connector Group, I just have the one Default one.

75
00:03:45,950 --> 00:03:48,550
You've got some settings down here, as far as cookies,

76
00:03:48,550 --> 00:03:51,730
Use HTTP‑Only Cookie, Use a Secure Cookie,

77
00:03:51,730 --> 00:03:54,340
Use a Persistent Cookie, Translate URLs.

78
00:03:54,340 --> 00:03:56,030
Once you're finished with your settings,

79
00:03:56,030 --> 00:03:59,780
we can Add to create that new application definition

80
00:03:59,780 --> 00:04:01,210
in the default connector group.

81
00:04:01,210 --> 00:04:03,750
Now it looks like it raised an error because I'm

82
00:04:03,750 --> 00:04:05,890
already using the same internal URL.

83
00:04:05,890 --> 00:04:06,700
That makes sense.

84
00:04:06,700 --> 00:04:10,360
I should have remembered that, but let's actually go back to Configure an app,

85
00:04:10,360 --> 00:04:12,840
and let's do this again, localhyperv1app.

86
00:04:12,840 --> 00:04:18,770
The Internal URL, this time I'm going to use the hostname of the server,

87
00:04:18,770 --> 00:04:21,080
http://localhyperv1.

88
00:04:21,080 --> 00:04:21,800
Okay, good.

89
00:04:21,800 --> 00:04:25,280
So let me copy the URL to my clipboard on my other monitor.

90
00:04:25,280 --> 00:04:26,940
We'll leave everything alone here.

91
00:04:26,940 --> 00:04:27,690
So actually,

92
00:04:27,690 --> 00:04:33,140
I customized the cookies because I'm not messing with HTTPS yet at this point.

93
00:04:33,140 --> 00:04:35,830
So let's wait for this process to complete successfully,

94
00:04:35,830 --> 00:04:39,010
and in the meantime let me dismiss completed tasks.

95
00:04:39,010 --> 00:04:39,740
Good deal.

96
00:04:39,740 --> 00:04:41,720
That one was created successfully.

97
00:04:41,720 --> 00:04:44,070
So, unfortunately, there's not an OK here.

98
00:04:44,070 --> 00:04:46,330
We just have to hit X to come out here.

99
00:04:46,330 --> 00:04:50,960
And let's do a hard refresh, and hopefully the interface will update accordingly.

100
00:04:50,960 --> 00:04:51,770
Yes, okay.

101
00:04:51,770 --> 00:04:54,010
So now we have two references.

102
00:04:54,010 --> 00:04:59,320
Now because these machines are being NAT'd behind the same public IP,

103
00:04:59,320 --> 00:05:03,010
that's why I ran into that error with the same internal hostname

104
00:05:03,010 --> 00:05:07,660
because how could you possibly come in on that public IP on the same

105
00:05:07,660 --> 00:05:10,560
internal URL and expect differentiation?

106
00:05:10,560 --> 00:05:12,750
So I probably should have seen that to begin with.

107
00:05:12,750 --> 00:05:14,870
Okay, so to finish our configuration,

108
00:05:14,870 --> 00:05:20,680
we can't just expect to go directly to that msappproxy.net because

109
00:05:20,680 --> 00:05:23,680
we have to assign this application to users.

110
00:05:23,680 --> 00:05:27,230
And the way we do that is we go to Enterprise applications,

111
00:05:27,230 --> 00:05:30,590
and let me reverse sort here to get that resource.

112
00:05:30,590 --> 00:05:35,430
So this is the Azure service principal that represents that proxied app,

113
00:05:35,430 --> 00:05:36,760
so let me click it.

114
00:05:36,760 --> 00:05:39,490
And what we're going to need to do, I'm going to designate an owner,

115
00:05:39,490 --> 00:05:43,700
first of all, somebody that's going to have management on the entire application.

116
00:05:43,700 --> 00:05:46,740
I'm already a directory administrator, so I'm good.

117
00:05:46,740 --> 00:05:50,600
But let's say that my colleague, Adee, should also be an application owner.

118
00:05:50,600 --> 00:05:53,360
So that would give her full ability to manage the

119
00:05:53,360 --> 00:05:55,550
configuration of this registered app.

120
00:05:55,550 --> 00:05:59,150
But I specifically want to go to Users and groups and assign at

121
00:05:59,150 --> 00:06:02,310
least myself this app because this is how we're going to

122
00:06:02,310 --> 00:06:04,820
instruct our users to get to the app.

123
00:06:04,820 --> 00:06:08,070
So I'm going to bring in Tim, of course, the manager of the app.

124
00:06:08,070 --> 00:06:10,410
Adee is going to need to come in here as well. And

125
00:06:10,410 --> 00:06:11,870
let's complete that assignment.

126
00:06:11,870 --> 00:06:15,870
So this is a common workflow when you're configuring single sign‑on

127
00:06:15,870 --> 00:06:18,550
for Azure AD‑backed applications in your directory.

128
00:06:18,550 --> 00:06:20,310
You assign them to users.

129
00:06:20,310 --> 00:06:22,070
And then as this banner says,

130
00:06:22,070 --> 00:06:25,650
The application will appear for assigned users within My Apps.

131
00:06:25,650 --> 00:06:26,470
What is My Apps?

132
00:06:26,470 --> 00:06:29,520
Hopefully you know, but if you don't, what My Apps is,

133
00:06:29,520 --> 00:06:34,020
it's Microsoft's single sign‑on portal for Azure Active Directory.

134
00:06:34,020 --> 00:06:36,910
The well‑known DNS is myapplications.microsoft.com.

135
00:06:36,910 --> 00:06:40,020
And it's an authenticated portal,

136
00:06:40,020 --> 00:06:44,300
so we're going to have to come in being authenticated by Azure AD and again,

137
00:06:44,300 --> 00:06:46,920
conditional access, all of those rules apply.

138
00:06:46,920 --> 00:06:48,960
This is what the My Apps portal looks like.

139
00:06:48,960 --> 00:06:53,310
And any Microsoft 365 apps that the user is licensed for,

140
00:06:53,310 --> 00:06:55,740
as you can see I've got Excel will show up here,

141
00:06:55,740 --> 00:06:58,300
as well as line‑of‑business apps that you've developed,

142
00:06:58,300 --> 00:07:01,890
like I've got this AZ‑104 practice app, third‑party

143
00:07:01,890 --> 00:07:05,550
apps that use Azure as a back end, you can register those,

144
00:07:05,550 --> 00:07:07,860
like I've got Alpaqa Studio for Cosmos.

145
00:07:07,860 --> 00:07:11,430
And then, lastly, you can see I haven't customized the icon yet,

146
00:07:11,430 --> 00:07:15,140
but notice that I've got Hyper‑V, or localhyperv app,

147
00:07:15,140 --> 00:07:17,610
in my My Apps list, so let's give that a click.

148
00:07:17,610 --> 00:07:23,010
We've preauthenticated, and so it brings us here on our msappproxy.net,

149
00:07:23,010 --> 00:07:30,000
HTTPS connection, and we're seeing the Internet Information Services page. Good enough, huh?