Home > Cloud > Granting Guest or Partner users access to your on-premises apps

Granting Guest or Partner users access to your on-premises apps

In the past, in order to grant guest or partners users access to on-premises applications, would require a very complicated setup and would also incur on management overhead with Trusts, VPN and guest/partners accounts being created on the local Active Directory.

Fortunately, that’s past.

Nowadays, we can grant access to Guest or Partner users to applications hosted on-premises or in the cloud. How can that be done? Simple : using the Azure B2B feature:

  • For apps that use SAML-based authentication:
    • Integrate the SAML app by using the non-gallery application template, as described in Configuring single sign-on to applications that are not in the Azure Active Directory application gallery. Make sure to note what you use for the Sign-on URL value.
    • Use Azure AD Application Proxy to publish the on-premises app, with Azure Active Directory configured as the authentication source. The high level steps are:
      1. Install the Application Proxy Connector (go to Get started with Application Proxy and install the connector)2
      2. In the Azure Portal, select on Azure Active Directory -> Enterprise Applications -> Overview, then click on +New Application0
      3. Click on On-Premises Application
        0a
      4. Provide the following information application:
        0d

        Name: The name will show on the access panel and in the Azure portal.
        Internal URL: The URL that you use to access the application from inside your private network.
        External URL: The address your users will go to in order to access the app from outside your network.
        Pre Authentication: How Application Proxy verifies users before giving them access to your application: Azure Active Directory (default); Multi-Factor Authentication; Passthrough.
        Connector Group: Connectors process the remote access to your application, and connector groups help you organize connectors and apps by region, network, or purpose.
  • For apps that use Integrated Windows Authentication (IWA) with Kerberos constrained delegation (KCD): using Azure AD Proxy for authentication. However, for authorization to work, a user object is required in the on-premises Windows Server Active Directory. There are two methods you can use to create local user objects that represent your B2B guest users:
    • You can use Microsoft Identity Manager (MIM) 2016 SP1 and the MIM management agent for Microsoft Graph.
    • You can use a PowerShell script. (This solution does not require MIM.)

 

For more information on Publishing applications with Application Proxy see https://docs.microsoft.com/en-au/azure/active-directory/manage-apps/application-proxy-publish-azure-portal

 

 

 

Categories: Cloud

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: