Tag Archives: azure ad application proxy

Enable SSO (Single Sign On) to On-Premises Exchange OWA (Outlook Web Access) via Azure AD Application Proxy

Wouldn’t it be awesome to the do the following with Outlook Web Access being published in your on-premises environment today?

  • Cheap proxy solution to prevent direct internet access to your servers
  • Mask the IPs of your on-premises infrastrucutre
  • Enable Azure MFA (Multi-Factor Authentication) for OWA?
  • Have a Single-Sign on experience into Outlook Web Application via federation?
  • Have the application be selectable from your “My Apps” page (myapps.microsoft.com)
  • Have the application be selectable from the “Waffle Menu” of Office 365

If you are looking for any of the above, you are in-luck and we can enable this easily through Azure AD Application Proxy.  If you organization is using Office 365 or Azure AD already and have licensing for Azure AD Premium or Basic, you are good to go.  If you have the Enterprise Mobility Suite, this will grant you to Azure AD Premium licensing which should make you good to go as well.

Configuration

  1. Pre-Requisite: Enable Kerberos Authentication for Outlook Web Access On-Premises
    1. Login to one of your domain controllers and open up Active Directory Users and Computers
      Server Manager - Active Directory Users and Computers
    2. Find the Computer object within your organization we will run the Azure AD Connector on later in the tutorial and right click Properties on it
      Active Directory Users and Computers - Computers - OWA - Properties
    3. Select the Delegation tab, select Trust this computer for delegation to specified services only, check Use any authentication protocol, and click on Add…
      Active Directory Users and Computers - Computers - OWA - Properties - Delegation - Add
    4. Select Users or Computers…
      Active Directory Users and Computers - Computers - OWA - Properties - Delegation - Add - users or Computers
    5. Type in the machine name and click OK
      Active Directory Users and Computers - Computers - OWA - Properties - Delegation - Add - users or Computers - Select Users or Computers
    6. Select http and click OK
      Active Directory Users and Computers - Computers - OWA - Properties - Delegation - Add - users or Computers - http
    7. Click OK on the Add Services page
  2. Pre-Requisite: Enable Exchange On-Premises to use Integrated Windows Authentication (instructions for Exchange 2010 or 2013 can be found below)
    1. Exchange 2010
      1. Open the Exchange Management Console for your Exchange server
        Exchange Management Console (2010)
      2. Expand Server Configuration, select Client Access, under Outlook Web App, right click on your web app and select Properties
        Exchange Management Console (2010) - Outlook Web App
      3. Select the Authentication tab and check Use one or more standard authentication methods.  Once checked, check Integrated Windows authentication and click the Apply and OK buttons.
        Exchange Management Console (2010) - Outlook Web App Properties - Authentication - Integrated Windows Authentication
      4. Open a command prompt
        cmd as Administrator
      5. Execute the iisreset command
        cmd - iisreset
    2. Exchange 2013
      1. Open the Exchange Administrative Center
        Exchange Administrative Center (2013)
      2. Login to the admin center, click on Servers and select the Virtual Directories tab
        Exchange Administrative Center (2013) - admin center - servers -virtual directories
      3. Select server and then double click on the OWA Virtual Directory and select the applications tab
        Exchange Administrative Center (2013) - admin center - servers -virtual directories - owa - authentication
      4. On the authentication tab, select Use one or more standard authentication methods, select Integrated Windows authentication, and click save
        Exchange Administrative Center (2013) - admin center - servers -virtual directories - owa - authentication - integrated windows authentication
      5. Open a command prompt
        Elevated Command Prompt
      6. Execute the iisrest command
        cmd - iisreset
  3. Login to the Azure AD Portal
    1. https://manage.windowsazure.com
      1. Note: As of 6/2/2016, Azure Active Directory has not been published in the new Azure Portal.  However, this will change in the future 🙂
  4. Select Active Directory on the left side
    Azure Active Directory - Classic Portal
  5. Select your Azure Active Directory instance
    Azure Active Directory - Instance - Classic Portal
  6. Select Applications at the top of menu
    Azure Active Directory - Instance - Applications - Classic Portal
  7. Select Publish an application that will be accessible from outside your network
    Azure Active Directory - Instance - Applications - Add - Classic Portal
  8. Enter in the following information for the application:
    1. Name: Outlook Web Access
    2. Internal URL: https://owa.domain.com/owa/ (this is the internal URL to owa)
    3. Preauthentication Method: Azure Active Directory
    4. Select the Checkmark
      Azure Active Directory - Instance - Applications - Add - App Proxy - Classic Portal
  9. Click on the Configure tab
    Azure Active Directory - Instance - Applications - OWA - Configure - Classic Portal
  10. On the Configure tab, use the following configuration
    1. Internal Authentication Method: Integrated Windows Authentication
      1. Note: If we cannot do Kerberos based authentication (Integrated Windows Authentication) in your environment, you can leave this blank and continue to use Azure AD Application proxy, however the end user will be prompted for credentials just as if they browsed directly to OWA.
    2. Internal Application SPN: http/owa.domain.com
      1. This is the Service Principal Name to the Exchange Server.  The value for this was provided earlier in this tutorial.
    3. Click Save
      Azure Active Directory - Instance - Applications - OWA - Configure - Settings - Classic Portal
  11. Click on the Cloud icon with a lighting bolt and select Download a connector
    Azure Active Directory - Instance - Applications - OWA - Configure - Classic Portal

    1. Check the I accept the license terms and privacy agreement checkbox and click Download
      Azure AD Application Proxy Connector Download
    2. Note: Although the download has a generic name, the download is customized specifically for your application (Outlook Web Access in this case).  If you create other applications within your Azure AD tenant, make sure you always use the Download button inside of each application so it generates the correct installer.
  12. Copy the AADApplicationProxyConnectorInstaller.exe connector to any server in your environment that can access your OWA instance internally and run the installer
    AADApplicationProxyConnectorInstaller Downloaded
  13. Check I agree to the license terms and conditions and click Install
    Microsoft Azure Active Directory Application Proxy Connector - I agree
  14. Type in your Global Administrator credentials to register the agent to your Azure AD tenant and click Sign in
    Microsoft Azure Active Directory Application Proxy Connector - Credential Prompt
  15. Click Close if it shows Setup Success
    Microsoft Azure Active Directory Application Proxy Connector - Success

    1. Optional: You can run the Connector Troubleshooter if you would like.  It will install a quick application that will show you the results of the test in your web browser once it has completed.
      Azure AD Application Proxy Connector Troubleshooter
  16. Click on Users and Groups at the top of the Azure AD portal
    1. Search for the group or users you want to assign to this, select it, and click the Assign button
      Azure Active Directory - Instance - Applications - OWA - Users and Groups - Assign

      1. Note: This group could be synchronized from on-premises to Azure AD or created in the cloud
      2. Note: Assigning a user or group to this application will automatically make the application show up in the My Apps portal
      3. Note: Users or Groups must be defined to use the application or they will receive an error upon logging in

Test

  1. Login to https://myapps.microsoft.com as one of the assigned users to the Outlook Web Access application
  2. Select the Outlook Web Access application

If all went well, you should be logged into Outlook Web Access on-premises and see your corresponding mailbox.  At this point, I would proceed with adding a vanity domain name that matches your organization as well as corresponding SSL certificate for the domain name instead of leveraging the default msapprpoxy.net domain name.  Additionally, you can always find a nice little icon for the application to make it look like OWA as well 🙂