Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!
Remote Desktop

Understanding Azure AD Application Proxy Support for Remote Desktop Services

Application Proxy lets users access Remote Desktop apps hosted behind a Remote Desktop Gateway. Now it works with the RDS web client too.Last month, Microsoft revealed the public preview of Azure Active Directory (AD) Application Proxy support for the Remote Desktop Services (RDS) web client. Application Proxy lets users access corporate web applications, and apps hosted behind a Remote Desktop Gateway, using a remote client. The primary advantage of Application Proxy is that it allows users to access intranet apps without first connecting to the corporate network using a virtual private network (VPN).

Azure AD Application Proxy uses an on-premises connector to manage communication between the cloud service and on-premises applications. Because the connector only uses outbound connections, organizations don’t need to open inbound ports or place servers in a demilitarized zone (DMZ). Application Proxy, along with Azure AD, is part of Microsoft’s identity-centric zero trust model.

Image #1 Expand
Azure AD Application Proxy Support for Remote Desktop Services Web Client Now in Preview (Image Credit: Microsoft)


Application Proxy provides secure access to apps hosted on RDS. Application Proxy reduces the risks associated with connecting to RDS by enforcing pre-authentication and Conditional Access policies. For example, an organization could require use of multifactor authentication or use of a compliant device.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

For more information on zero-trust networks, see Choosing between Virtual Private Network and Zero Trust Remote Access Solutions on Petri.

Starting with this preview, users can connect to RDS-hosted apps via Application Proxy using the RDS web client from any HTML5-compatible browser. Microsoft Edge, Internet Explorer 11, Google Chrome, Safari, and Mozilla Firefox are all compatible with the RDS web client. Organizations can use the RDS web client to publish full desktops or remote apps that look like they are running on the local device.

Image #2 Expand
Azure AD Application Proxy Support for Remote Desktop Services Web Client Now in Preview (Image Credit: Microsoft)


For more information on the RDS web client, check out my article on Petri here.

Using the RDS web client preview with Application Proxy

Before you can use the RDS web client with Application Proxy, your connectors must be updated to the latest version (1.5.1975.0). For instructions about how to get RDS to work with Application Proxy, check out Microsoft’s website here. You’ll also need to set up the RDS web client for users by following the instructions here.

Once everything is configured and working, users can access the web client from a browser or launch it from the My Apps Portal.

RDS web client single sign-on

Azure AD Application Proxy uses two types of authentication: pre and pass-through.  Pre-authentication requires users to log in to Azure AD to get access to the RDS web client feed. Pass-through authentication relies on the published application to authenticate users. Windows Server AD must be synchronized with Azure AD to use pre-authentication.

If you choose to use pre-authentication, regardless of whether users are authenticated against Azure AD or via Active Directory Federation Services (ADFS), users will be required to log in a second time if the Remote Desktop Web Connection ActiveX Control is deployed in Internet Explorer. The ActiveX Control has been deprecated in Windows 10 in favor of browsers with HTML5 support.

When authenticating from a modern browser on devices that are joined to Azure AD, you will need to provide credentials on the RDS web log in page. Microsoft is hoping to make the sign-in process easier for users in the future.


Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (1)

One response to “Understanding Azure AD Application Proxy Support for Remote Desktop Services”

  1. bluvg

    Very good steps, but when will they fully support the native (non-HTML5) client, including MFA? The HTML5 client is missing a lot of important functionality, especially multi-mon support. The UX of the current MFA solution for the native client is terrible.

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Related Articles

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By