My GitHub repo is a demo implementation of the hybrid cloud to on-premises setup for Azure AD App Proxy.
In general, follow the instructions for setting up Azure AD App Proxy.
You will also need to follow the instructions for sharing a B2B user into your tenant, then creating a shadow ID for them in your local AD domain. You will then need to configure Kerberos Constrained Delegation support as defined in this link for the web application.
If successful, when logging into the website URL from the Azure portal, you will be prompted to sign-in with your B2B Azure AD account, then will be signed in with Integrated Windows Authentication on the local AD domain. You will see that the ID that you are logged in with on the website is the local AD ID, not your Azure AD ID directly.
Here are some additional tips.
Local AD domain-joined web app server using Integrated Windows Authentication
- Create an Service Principal Name (SPN) for your web application. Since the web app is running as the default ApplicationPoolIdentity, this means your SPN should be set to the machine name.
setspn -R HTTP/vmb2ctenantussd.b2btenant.com vmb2ctenantussdVerify existence of SPN.
setspn -Q HTTP/vmb2ctenantussd.b2btenant.comShould result in something like the following.
Checking domain DC=b2btenant,DC=com CN=vmb2ctenantussd,OU=Domain Controllers,DC=b2btenant,DC=com HTTP/vmb2ctenantussd.b2btenant.com
- Make sure the account that your App Proxy runs under is added to the
Windows Authoriztion Access Group Propertiesgroup in your AD domain.
- Create the local AD shadow copy of the users you wish to be able to login using the AAD account. In this example, the user is a B2B user (guest) of the AAD tenant (notice the _microsoft.com#EXEfirstname.lastname@example.org). This is the UPN of the user that will be passed to the local AD domain to sign in.
Azure AD setup
- Create Enterprise Application
- Setup Single sign-on options
- Setup Application proxy options
- Set the Internal Url to the local path on the web server
- Set the Pre Authentication to Azure Active Directory to force AAD signin ![enterpriseApplicationApplicationProxyBlade.png]