How to configure Remote Access for Work Folders with the Azure AD Application Proxy

In my previous blog I showed you how to deploy Work Folders on Windows Server 2019. In this blog I will show you how to configure Remote Access to these Work Folders via the Azure Active Directory Application Proxy. I great benefit of using the Azure AD Application Proxy is that you don’t need expensive reverse proxy solutions and you don’t have to open your firewall ports, so it is also more secure.


Before we start make note of the following requirements;

  • Work Folders server up and running (see this step-by-step blog)
  • Azure AD Application Proxy up and running (see this step-by-step blog)
  • Azure AD Basic or Premium licenses
  • Users must have an account that is synced from the on-premises domain to Azure AD
  • An iOS, Android or a Windows 10 (1703 or higher) device for testing

My Environment

In my on-premises domain I have the following servers for this configuration;

  • EMS01 (Application Proxy server)
  • EMSFile01 (Work Folders server)

Azure AD Sync is up and running and all users are synced from the on-premises domain to my Azure AD tenant.

In this blog

In this blog I will cover the following topics step-by-step;

  1. Create an SPN for the Work Folders server
  2. Configure Constrained Delegation
  3. Create a Work Folders Proxy application
  4. Create a Work Folders Native application
  5. Test the results

Step 1 : Create an SPN for the Work Folders server

First we need to created a SPN for the Work Folders server. At a later step we need this SPN when creating the applications in Azure. For the following steps, logon to a domain controller.

Open a Command Prompt with elevated rights and run the following command;

setspn -S http/workfolders.<domain> <Work Folder server>

The SPN for the Work Folders server is now created.

Step 2 : Configure Constrained Delegation

For the next steps stay on the Domain Controller and open Active Directory Users and Computers.

Navigate to the Application Proxy Server and open the Properties of it.

Open the Delegation tab and select Trust this computer for delegation to specified services only. Select Use any authentication protocol and click Add

Click Users or Computers

Enter the name of the Work Folders server and click OK

Select the SPN that we have created in Step 1 of this blog and click OK.

Click OK

Step 3 : Create a Work Folders Proxy application

For the following steps login to the Microsoft Azure Portal as with a Global Admin account.

Navigate to: Azure Active Directory > Enterprise applications > All applications and click the + New application button

Click On-premises application

Fill in the following information

Name : Any name you like, I go for Work Folders Proxy
Internal Url : The internal HTTPS address of your Work Folders server (DNS alias with SSL certificate)
External Url : You can select what kind of external URL you want, you can create a CNAME record for your domain or select the default “domain” address like I do in this case.
Pre-Authentication : Azure Active Directory
Connector Group : Select your Azure Application Proxy Connector Group, in my case this is “Default”

Scroll down

Make sure Translate URLs In Headers is set to Yes and all other options set to No (this is default). Click the + Add button.

Open the Users and groups blade and click + Add user

Search for the appropriate group and click Select and Assign

Open the Single sign-on blade and click Windows Integrated Authentication

Fill in the following information;

Internal Application SPN : The SPN address we created in step 1
Delegated Login Identity : User principal name

Click Save

Step 4 : Create a Work Folders Native application

In this final step we need to create the Work Folders Native application.

Navigate to Azure Active Directory > App registrations (Legacy) and click + New application registration

Fill in the following information;

Name : Any name you like, I will use Work Folders Native Client
Application type : Native
Redirect URI : https://168f3ee4-63fc-4723-a61a-6473f6cb515c/redir

Click Create

Copy the Application ID to a notepad, we need this ID in a later step, after doing that, click Settings

Open the Redirect URI’s blade

Add the following Redirect URIs;

ms-appx-web://microsoft.aad.brokerplugin/<your application ID>

Replace “<your application ID>” with own application ID, in my case it is the following URL;


Click Save

Open the Required permissions blade and click Windows Azure Active Directory

Select the following Delegated Permissions;

  • Sign in and read user profile
  • Access the directory as the signed-in user

Click Save

Click the + Add button

Double click Windows Azure Service Management API

Select Access Azure Service Management as organization users

Click Select and Done

Click the + Add button once again

Search and double click the Work Folders Proxy application

Select Access Work Folder Proxy and click Done

Step 5. Test the result

Let’s test the results of this configuration. I will first test it on a Windows 10 device that is managed by Microsoft Intune but is not part of the local domain and is on a remote location (not connected to the corporate network). Second, I will test the results on an Apple iPad.

On the Windows 10 device, search for Work Folders in the task bar.

Click Set up Work Folders

Click Enter a Work Folders URL instead. I you have created a “workfolders” DNS record for your external domain, users can also login with their mail account (it that uses the same domain).

Fill in the external Work Folders URL created in step 3 of this blog, in my case https://workfolders-<domain>

Click Next

Click Next

Select I accept these policies on my PC and click Set up Work Folders

Click Close

The files will now be synced to my Windows 10 device.

And as you can see, everything is working fine.

Let’s do the same on an Apple iPad.

On an iPad, install the Microsoft Work Folders App and open it.

Tab Continue

Click Enter a Work Folders URL Instead

Fill in the external Work Folders URL and tab Continue

Tab Launch Web Site

Select or enter the right account

Set a App passcode

Tab Yes if you would like to enable Touch ID

As you can see, the files are now also available on the Apple iPad.

Add comment

Your email address will not be published. Required fields are marked *

About Robin Hobo

I am a Technology Specialist Cloud Endpoint working for Microsoft. I am specialized in Microsoft Intune, Azure Virtual Desktop (AVD), Windows 365, Windows 11 and Azure AD. Also interested in mental health, NLP and personal development.

For more information, see my LinkedIn profile.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.