Securing API Access beyond Intranet with Azure AD Application Proxy
Many of you have said that you have business logic/API either running on premise or somewhere hosted in Virtual Machines across the cloud. These native apps often run on iOS/Android/MAC/Windows and need to interact with the API endpoints to make use of the data or provide a way of user interaction. This is a scenario that is also supported with Azure AD Application Proxy. As with other solutions supported with the Application Proxy, this lets you move from scenarios where you would need to open firewall ports and control authentication and authorization at the app layer (Figure 1 below) to a faster and more secure solution which also allows additional security through Azure AD premium features like Multifactor Authentication, Device Based Conditional Access for Desktops, iOS/MAC and Android devices using Intune (Figure 2 below).
Figure 1: A typical way to publish you on premise resources.
Figure 2: Securely Publish your APIs using the Azure AD App Proxy without requiring any incoming ports.
The Overall Solution
The Azure Ad Application Proxy forms the core backbone of the entire solution working as public endpoint for API access, providing Authentication and Authorization. You could access all your API’s from a vast array of platform using the ADAL Libraries. To give an overview of this solution, I’ll walk through a demo.
For the Demo lets assume we are hosting an API service on premise.
Sample Rest Response
Publish the API using the App Proxy
Let’s drill into how you can publish this API. It is follows the same pattern as publishing web applications.
Step 1: Ensure the Pre-Authentication is set to Azure Active Directory.
Step 2: Hide the application from end users
Since this is an API you do not want this to be available in the MyApps Panel to your end users, set the «Visible to users?» option to «No».
Step 3: Configuring the Authorization, select users and group who can access this application.
As with any other application, you will need to assign users to the application.
With the above three steps you should have your API published outside of the intranet through the Application Proxy.
Note: There might be additional steps required if your API is protected with Windows Integrated Auth
Configuring Native App Registration and Granting Access
Native applications are program developed for use on a particular platform or device. Before the App can connect and access the API you would need to registger App in Azure. For the next step will walk you through the to register App and configure access to the API published above.
More details can be found here
Step 1: Native App Registration: Create a new App Registration
Step 2: Grant Access to the API published (in the previous step) via Application Proxy
Configuring the Native Application Parameters
Last step is to identify and configure the Native Application.
Step 1: Click on App Registrations
Step 2: Drill into the application you just created and capture the App ID URI
The Native App uses the header to attach the bearer token for the request for making call to the API.The below snippet uses the ADAL Library to aquire token and attach it as Bearer to the Header. A sample web app and Native App can be found here
The App configuration requires you to supply in the values from the above screen-shots.
Once the parameters are configured, you can try the application and confirm that the Native App was successfully able to access the API hosted on-premises.
Conclusion
Now we can have Native Apps that are IOS/Android/MAC/Windows able to utilize the ADAL (Azure Active Directory Authentication Libraries) and Azure AD Application proxy to be able to securely access the APIs hosted on premise. Since Azure AD App Proxy Authentication and Authorization is built on top of Azure AD, you can also leverage the Azure AD Conditional access to ensure the API access can only work on trusted devices such as Azure AD join or Azure AD Hybrid Joined for the Desktops and Intune Managed for the IOS/MAC and Android device along with a choice to ensure Azure Multifactor Authentication along with the security backed by machine learning of the Azure Identity Protection.
Best,
Jeevan Bisht
Program Manager – GTP