AD FS 3.0 architecture and design question: can you use the Azure App Proxy Service instead of an AD FS WAP?

A while back (around October 2015 > yes this is a little late, I know. Sorry about that; my bad) someone asked in the comments of a blog post:

is the new Azure Application Proxy (AAP) service a viable option to use as an Active Directory Federation Services (AD FS) Windows Server 2012 Web Application Proxy (WAP) replacement?

According to the Azure documentation page for the AAP:

“Microsoft Azure Active Directory Application Proxy lets you publish applications, such as SharePoint sites, Outlook Web Access, and IIS-based apps inside your private network and provides secure access to users outside your network. Employees can log into your apps from home on their own devices and authenticate through this cloud-based proxy.”

I’ve spent some time reading up on the AAP service and what functionality it has. Originally targeted towards AAD Premium customers, AAP is available in the AAD Basic tier now as well. Free tier customers: sorry, get your wallet out.

I want to just highlight a couple of key points on an AD FS design. I’ve completed a few AD FS deployments both on-premises and in Azure in the last few years. With each solution design comes some challenges. I’d say the WAP servers are the least of your problems.

Until AD FS load hits more than 15,000 users authenticating against AD FS, deploying a single pair of AD FS WAP servers is just fine (and recommended by Microsoft). The simple pair of work grouped and controlled VLAN boxes are bare bones, express and light weight installations of Windows Server 2012 R2.

Challenges come about with networking; particularly load balancing in line before the AD FS WAP’s and after to the restricted VLAN. From there, redundancy of AD FS servers across multiple sites or geo regions poses more headaches than the simple little WAP servers.

The point I’m making here is that the WAP solution is very simple. A complete SaaS AD FS solution would have been much more of an appealing proposition though. Can the Azure App Proxy reduce our Azure monthly compute spend by $214.06; or the cost of two A1 compute instances.? That would cover my monthly Audible, Spotify and Netflix subscriptions with plenty of change to cover my exorbitant cappuccino budget (Double shot, decaf, cappuccino, thanks! I’ve given up on caffeine. More on that another time.) , so, I’m not going to complain, but, explore if this is worth my while.

Unfortunately the Azure Application Proxy sounds like a solution that would replace or build upon the WAP service. However, AAP is NOT, I repeat NOT a replacement. Sad news; I know.

For single sign-on to work, the Azure App Proxy still relies on AD FS integration to allow for SSO to work.

Get the program managers out here- stat!

A service similar to the WAP would be fantastic in Azure. A simple proxy service for inbound requests to be filtered and handed off to internal resources, behind a potential regional Azure load balancing service might could well reduce cost (by way of two virtual machines, but, further move AD FS towards an “as s service” model; the ideal “AD FS 4.0” or equivalent.

Final words

Recently I’ve not had the opportunity to design or provision much of the way with Azure AD Premium. The Azure App Proxy was new to me and promised so much. When AD FS will be an Azure service: I don’t know. What I do know is that in a cloud first world with less and less reliance on on-premises; an AD FS service, secure and large in scale in Azure would be fantastic.

Take note Microsoft!


Questions?

Have a question about this post? Ask away on Twitter or in my AMA repo.