Integrate Azure Active Directory Application Proxy with SharePoint (SAML)

This step-by-step guide explains how to secure the access to the Azure Active Directory integrated on-premises SharePoint (SAML) using Azure AD Application Proxy, where users in your organization (Azure AD, B2B) connect to SharePoint through the Internet.

Note

If you're new to Azure AD Application Proxy and want to learn more, see Remote access to on-premises applications through Azure AD Application Proxy.

There are three primary advantages of this setup:

  • Azure AD Application Proxy ensures that authenticated traffic can reach your internal network and SharePoint.
  • Your users can access SharePoint sites as usual without using VPN.
  • You can control the access by user assignment on the Azure AD Application Proxy level and you can increase the security with Azure AD features like Conditional Access and Multi-Factor Authentication (MFA).

This process requires two Enterprise Applications. One is a SharePoint on-premises instance that you publish from the gallery to your list of managed SaaS apps. The second is an on-premises application (non-gallery application) you'll use to publish the first Enterprise Gallery Application.

Prerequisites

To complete this configuration, you need the following resources:

Step 1: Integrate SharePoint on-premises with Azure AD

  1. Configure the SharePoint on-premises app. For more information, see Tutorial: Azure Active Directory single sign-on integration with SharePoint on-premises.
  2. Validate the configuration before moving to the next step. To validate, try to access the SharePoint on-premises from the internal network and confirm it's accessible internally.

Step 2: Publish the SharePoint on-premises application with Application Proxy

In this step, you create an application in your Azure AD tenant that uses Application Proxy. You set the external URL and specify the internal URL, both of which are used later in SharePoint.

Note

The Internal and External URLs must match the Sign on URL in the SAML Based Application configuration in Step 1.

Screenshot that shows the Sign on URL value.

  1. Create a new Azure AD Application Proxy application with custom domain. For step-by-step instructions, see Custom domains in Azure AD Application Proxy.

    • Internal URL: 'https://portal.contoso.com/'

    • External URL: 'https://portal.contoso.com/'

    • Pre-Authentication: Azure Active Directory

    • Translate URLs in Headers: No

    • Translate URLs in Application Body: No

      Screenshot that shows the options you use to create the app.

  2. Assign the same groups you assigned to the on-premises SharePoint Gallery Application.

  3. Finally, go to the Properties section and set Visible to users? to No. This option ensures that only the icon of the first application appears on the My Apps Portal (https://myapplications.microsoft.com).

    Screenshot that shows where to set the Visible to users? option.

Step 3: Test your application

Using a browser from a computer on an external network, navigate to the link that you configured during the publish step. Make sure you can sign in with the test account that you set up.