Deploying Hybrid RemoteApp

I’m in the process of building out new scenario’s for my EMS focused lab.  RemoteApp seemed to be a natural fit here – especially the “hybrid” scenario which leverages your Azure AD/Hybrid Identity.  The endgame here is to be able to access your published applications on any device (iPad, BYOD Windows or MAC machine, etc…) using your AD credentials (ie; SSO).  In my lab, I’m even using the MFA features available in Azure so I can force multi-factor authentication on users access applications via RemoteApp. 

To whet the appetite…here’s an example – I’ve published the SCCM console via RemoteApp.  Since the deployment is Hybrid – these apps can now talk back to my on-premises services via a dedicated site-to-site VPN you’ll configure as a part of the RemoteApp configuration process.  I’m now able to download the Remote Desktop App for the iPad and connect to my applications.


Let’s get started…

  • You’ll need to sign up for the RemoteApp preview if you haven’t already.  As of now, it won’t just show up in your Azure subscription.  It may take some time to get approved so don’t plan on clicking it and starting this process within a few minutes…


  • The next thing you want to make sure you have a handle on is what Azure AD is the default directory for your subscription.  This is what RemoteApp will use in the hybrid scenario.  This is important because, as you’ll see, the users that you will want to give access to the RemoteApp’s that you publish will come from your Azure AD.  If you are – or are planning – to do directory synchronization from your on-premises AD to Azure then it’s important that you ensure that Azure AD is the default.
  • To do this – navigate to the settings section (left hand side of Azure admin portal at the bottom) and click on subscription.  The click on the “edit directory” at the bottom of the page to see which Azure AD your subscription is pointing to.  If it’s not pointing to the one where your users are – then you’ll need to change it.



  • Next, for the hybrid scenario you’ll need to make sure that your environment can support a site-to-site VPN connection from Azure.  If you are building this out in a lab like I am (ie; your house/residential internet) then you’ll need to make sure you have the right ports open to make this work.  I am running mine out of my home network as well – but I use ATT Gigapower and I have a small subnet of static IP’s that allowed me to create a RRAS server and pin up a VPN to Azure with no issues.  You can check out my recent post on how to configure a S2S VPN using RRAS and Azure.
  • There’s a link in the early part of the above blog post that shows the ports you need to have open as well as some tools you can use to ensure the right ports/protocols are working remotely.  It’s easiest to use an Azure VM to test from since its obviously outside your network and can simulate accurate remote connectivity.

Alright, let’s get started on the RemoteApp configuration in Azure…

  • These parts have been pretty well covered and I’ll link a couple other blog posts here to follow their step-by-step instructions since they are well done and accurate. (no need to recreate the wheel here).  I just wanted to make sure that everyone understood that there are VPN considerations here as well as understanding which AD RemoteApp will point to and how to change that if it’s not set to how you require for your hybrid configuration to work properly.