In my previous blog I showed you how to deploy Work Folders on Windows Server 2019. In this blog I will show you how to configure Remote Access to these Work Folders via the Azure Active Directory Application Proxy. I great benefit of using the Azure AD Application Proxy is that you don’t need expensive reverse proxy solutions and you don’t have to open your firewall ports, so it is also more secure.
Before we start make note of the following requirements;
- Work Folders server up and running (see this step-by-step blog)
- Azure AD Application Proxy up and running (see this step-by-step blog)
- Azure AD Basic or Premium licenses
- Users must have an account that is synced from the on-premises domain to Azure AD
- An iOS, Android or a Windows 10 (1703 or higher) device for testing
In my on-premises domain I have the following servers for this configuration;
- EMS01 (Application Proxy server)
- EMSFile01 (Work Folders server)
Azure AD Sync is up and running and all users are synced from the on-premises domain to my Azure AD tenant.
In this blog
In this blog I will cover the following topics step-by-step;
- Create an SPN for the Work Folders server
- Configure Constrained Delegation
- Create a Work Folders Proxy application
- Create a Work Folders Native application
- Test the results
Step 1 : Create an SPN for the Work Folders server
First we need to created a SPN for the Work Folders server. At a later step we need this SPN when creating the applications in Azure. For the following steps, logon to a domain controller.
Open a Command Prompt with elevated rights and run the following command;
setspn -S http/workfolders.<domain> <Work Folder server>
The SPN for the Work Folders server is now created.
Step 2 : Configure Constrained Delegation
For the next steps stay on the Domain Controller and open Active Directory Users and Computers.
Navigate to the Application Proxy Server and open the Properties of it.
Open the Delegation tab and select Trust this computer for delegation to specified services only. Select Use any authentication protocol and click Add…
Click Users or Computers
Enter the name of the Work Folders server and click OK
Select the SPN that we have created in Step 1 of this blog and click OK.
Step 3 : Create a Work Folders Proxy application
For the following steps login to the Microsoft Azure Portal as with a Global Admin account.
Navigate to: Azure Active Directory > Enterprise applications > All applications and click the + New application button
Click On-premises application
Fill in the following information
Name : Any name you like, I go for Work Folders Proxy
Internal Url : The internal HTTPS address of your Work Folders server (DNS alias with SSL certificate)
External Url : You can select what kind of external URL you want, you can create a CNAME record for your domain or select the default “domain”.msappproxy.net address like I do in this case.
Pre-Authentication : Azure Active Directory
Connector Group : Select your Azure Application Proxy Connector Group, in my case this is “Default”
Make sure Translate URLs In Headers is set to Yes and all other options set to No (this is default). Click the + Add button.
Open the Users and groups blade and click + Add user
Search for the appropriate group and click Select and Assign
Open the Single sign-on blade and click Windows Integrated Authentication
Fill in the following information;
Internal Application SPN : The SPN address we created in step 1
Delegated Login Identity : User principal name
Step 4 : Create a Work Folders Native application
In this final step we need to create the Work Folders Native application.
Navigate to Azure Active Directory > App registrations (Legacy) and click + New application registration
Name : Any name you like, I will use Work Folders Native Client
Application type : Native
Redirect URI : https://168f3ee4-63fc-4723-a61a-6473f6cb515c/redir
Copy the Application ID to a notepad, we need this ID in a later step, after doing that, click Settings
Open the Redirect URI’s blade
Add the following Redirect URIs;
ms-appx-web://microsoft.aad.brokerplugin/<your application ID>
Replace “<your application ID>” with own application ID, in my case it is the following URL;
Open the Required permissions blade and click Windows Azure Active Directory
Select the following Delegated Permissions;
- Sign in and read user profile
- Access the directory as the signed-in user
Click the + Add button
Double click Windows Azure Service Management API
Select Access Azure Service Management as organization users
Click Select and Done
Click the + Add button once again
Search and double click the Work Folders Proxy application
Select Access Work Folder Proxy and click Done
Step 5. Test the result
Let’s test the results of this configuration. I will first test it on a Windows 10 device that is managed by Microsoft Intune but is not part of the local domain and is on a remote location (not connected to the corporate network). Second, I will test the results on an Apple iPad.
On the Windows 10 device, search for Work Folders in the task bar.
Click Set up Work Folders
Click Enter a Work Folders URL instead. I you have created a “workfolders” DNS record for your external domain, users can also login with their mail account (it that uses the same domain).
Fill in the external Work Folders URL created in step 3 of this blog, in my case https://workfolders-<domain>.msappproxy.net
Select I accept these policies on my PC and click Set up Work Folders
The files will now be synced to my Windows 10 device.
And as you can see, everything is working fine.
Let’s do the same on an Apple iPad.
On an iPad, install the Microsoft Work Folders App and open it.
Click Enter a Work Folders URL Instead
Fill in the external Work Folders URL and tab Continue
Tab Launch Web Site
Select or enter the right account
Set a App passcode
Tab Yes if you would like to enable Touch ID
As you can see, the files are now also available on the Apple iPad.