Microsoft announced this week that it’s possible to use the Azure Active Directory Application Proxy service with Remote Desktop Services (RDS)-based Web clients to add additional security for remote connections.
RDS is Microsoft’s service that uses the Remote Desktop Protocol to connect end users to desktops and applications housed on virtual machines in remote datacenters. With the new RDS-based Web client support, end users can use their browsers for remote access to “full desktops or remote apps,” Microsoft indicated.
Currently, this RDS Web client support using the Azure Active Directory Application Proxy service is at the preview stage. To use it, organizations will need to have the Azure AD Application Proxy service in place, and they’ll need to have their App Proxy connectors upgraded “to the latest version, 1.5.1975.0.”
Microsoft indicated that “any HTML5-capable browser” can work with the scheme, including “Microsoft Edge, Internet Explorer 11, Google Chrome, Safari, or Mozilla Firefox (v55.0 and later).”
Conditional Access and MFA
Organizations may want to use this proxy service to add security protections to browser-based clients. One added capability is “conditional access,” which checks device compliance before enabling access. Another is “multifactor authentication,” which imposes a secondary identify verification measure on top of supplying a password.
Here’s Microsoft’s description along those lines:
By using App Proxy with RDS you can reduce the attack surface of your RDS deployment by enforcing pre-authentication and Conditional Access policies like requiring Multi-Factor Authentication (MFA) or using a compliant device before users can access RDS. App Proxy also doesn’t require you to open inbound connections through your firewall.
Doing away with inbound connections appears to be a general security benefit of using the Azure AD Application Proxy service, per this Microsoft document description.
There’s also a “single sign-on” benefit for end users, reducing the number of times in which they have to enter their credentials, when using the Azure AD Application Proxy service. Single sign-on is enabled because of how the Web and Gateway roles get tapped by the proxy service.
“RD Web and RD Gateway are published as a single application with Application Proxy so that you can have a single sign-on experience between the two applications,” Microsoft’s document explained.
However, some readers of Microsoft’s announcement reported that end users don’t get this single sign-on access experience when the Azure AD Application Proxy service is used. Instead, end users have to enter their credentials as much as three times. In response, Jasmine Betthauser of Microsoft suggested in the announcement’s comments that single sign-on will work if an organization’s PCs are domain joined to the Azure AD service.
“If the user’s computer is Azure AD joined, the user signs in to Azure AD automatically,” Betthauser wrote. “The user will still need to provide their credentials on the RDWeb sign-in form. We’re still investigating options for how to simplify this.”
The announcement of RDS Web client support elicited very positive reactions, based on responses found in this Twitter post feed. However, it’s taken some time to get there. It’s been a request by Microsoft’s customers for more than two years, as can be seen in this “User Voice” item.