Remote Desktop

Understanding Azure AD Application Proxy Support for Remote Desktop Services

Application Proxy lets users access Remote Desktop apps hosted behind a Remote Desktop Gateway. Now it works with the RDS web client too.Last month, Microsoft revealed the public preview of Azure Active Directory (AD) Application Proxy support for the Remote Desktop Services (RDS) web client. Application Proxy lets users access corporate web applications, and apps hosted behind a Remote Desktop Gateway, using a remote client. The primary advantage of Application Proxy is that it allows users to access intranet apps without first connecting to the corporate network using a virtual private network (VPN).

Azure AD Application Proxy uses an on-premises connector to manage communication between the cloud service and on-premises applications. Because the connector only uses outbound connections, organizations don’t need to open inbound ports or place servers in a demilitarized zone (DMZ). Application Proxy, along with Azure AD, is part of Microsoft’s identity-centric zero trust model.

Image #1 Expand
Azure AD Application Proxy Support for Remote Desktop Services Web Client Now in Preview (Image Credit: Microsoft)


Application Proxy provides secure access to apps hosted on RDS. Application Proxy reduces the risks associated with connecting to RDS by enforcing pre-authentication and Conditional Access policies. For example, an organization could require use of multifactor authentication or use of a compliant device.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

For more information on zero-trust networks, see Choosing between Virtual Private Network and Zero Trust Remote Access Solutions on Petri.

Starting with this preview, users can connect to RDS-hosted apps via Application Proxy using the RDS web client from any HTML5-compatible browser. Microsoft Edge, Internet Explorer 11, Google Chrome, Safari, and Mozilla Firefox are all compatible with the RDS web client. Organizations can use the RDS web client to publish full desktops or remote apps that look like they are running on the local device.

Image #2 Expand
Azure AD Application Proxy Support for Remote Desktop Services Web Client Now in Preview (Image Credit: Microsoft)


For more information on the RDS web client, check out my article on Petri here.

Using the RDS web client preview with Application Proxy

Before you can use the RDS web client with Application Proxy, your connectors must be updated to the latest version (1.5.1975.0). For instructions about how to get RDS to work with Application Proxy, check out Microsoft’s website here. You’ll also need to set up the RDS web client for users by following the instructions here.

Once everything is configured and working, users can access the web client from a browser or launch it from the My Apps Portal.

RDS web client single sign-on

Azure AD Application Proxy uses two types of authentication: pre and pass-through.  Pre-authentication requires users to log in to Azure AD to get access to the RDS web client feed. Pass-through authentication relies on the published application to authenticate users. Windows Server AD must be synchronized with Azure AD to use pre-authentication.

If you choose to use pre-authentication, regardless of whether users are authenticated against Azure AD or via Active Directory Federation Services (ADFS), users will be required to log in a second time if the Remote Desktop Web Connection ActiveX Control is deployed in Internet Explorer. The ActiveX Control has been deprecated in Windows 10 in favor of browsers with HTML5 support.

When authenticating from a modern browser on devices that are joined to Azure AD, you will need to provide credentials on the RDS web log in page. Microsoft is hoping to make the sign-in process easier for users in the future.


Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (1)

One response to “Understanding Azure AD Application Proxy Support for Remote Desktop Services”

  1. <p>Very good steps, but when will they fully support the native (non-HTML5) client, including MFA? The HTML5 client is missing a lot of important functionality, especially multi-mon support. The UX of the current MFA solution for the native client is terrible.</p>

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Related Articles

13 Email Threat Types to Know About Right Now

As email threats evolve and multiply, keeping track of them all—and staying protected against the many different types—becomes a complex challenge. Today, that requires more than just the traditional email gateway solution that used to be good enough.

In this eBook you will learn:

  • What are the most common and challenging email attacks for organizations?
  • How to defend against sophisticated email threats, such as spoofing, social engineering, and fraud
  • How to protect employees at the inbox level with the right technologies and security-awareness training
  • How to use a multilayered protection strategy to reduce susceptibility to email attacks and better defend your business and employees

Sponsored by: