Windows IIS integration with Azure AD

Question

Windows IIS integration with Azure AD

Afzal Atique 21

Hi Team,

We have a website running on windows\IIS. We would like to integrate that with our Azure AD for authentication.

Is it possible to configure IIS to use Azure AD for authentication ?
If we host windows VM in Azure and join it to Azure AD DS and then enable windows authentication will it authenticate against Azure AD DS ?
any alternate way via azure ad app registration to enable IIS website to use Azure AD for authentication

Regards
Afzal Atique

Answer 1

Hello @Afzal Atique ,

The short answer is , It will depend upon your application. At the IIS web server level , this is not possible as far as I know. The Azure AD authentication can be added at the application level. If your application is a ASP.net application , you can integrate Azure AD authentication with the same . Let me answer your queries one by one.

Is it possible to configure IIS to use Azure AD for authentication ?
- No , AAD authentication can be added at the application level , There are multiple libraries for different languages available to integrate your app with Azure AD authentication. Azure AD authentication is essentially built on oAuth and native support for the same within IIS is not available.
If we host windows VM in Azure and join it to Azure AD DS and then enable windows authentication will it authenticate against Azure AD DS ?
- This is one of the most common deployment scenario for AAD domain services. Yes you can migrate the application to the Azure cloud either configuring it on a VM in Azure or migrating the complete application virtual machine to the cloud and changing some configuration as per the application. You can then join the machine to Azure AD domain Services and enable windows authentication without a problem. You must have Password hash sync enabled for all the users from Azure AD to Azure AD domain services instance and setup correct Vnet and NSG config , and the users will be able to access the web application using single signon without a problem . Alternatively you can use Azure AD application proxy and publish this application on the cloud.
Any alternate way via azure ad app registration to enable IIS website to use Azure AD for authentication?
- I don't think without modifying the application you will be able to achieve that . Depending upon the application you will have to integrate one of the MSAL library for adding Azure AD authentication within the same.

Hope this clarifies your query. I have included related links for more information . Please do read through them for more clarity . You can decide what solution you would like to use , you can either use Azure AD application proxy(If Password hash sync is not permitted in your environment ) or Azure AD domain services(if PHS is not a problem). Law firms and Banks try to avoid Password hash sync to cloud environments generally even though Azure is completely secure form all angles and have the largest number of regulatory compliance's . But cost and management wise Azure AD domain services is a better solution.

In case the information provided helps you , please do accept this as answer so that it can be useful to other members of the community.

Thank you.

Afzal Atique 21 Reputation points

2020-03-04T09:34:09.317+00:00

Dear @ShashiShailaj-MSFT
many thanks for your reply.
Can we use Azure AD Application proxy for Azure VM as well (Not on-prem) ?
ShashiShailaj-MSFT 7,466 Reputation points Microsoft Employee

2020-03-05T11:19:48.293+00:00

@Afzal Atique , Yes you can use Azure AD app proxy on Azure VM as well but since Azure AD app proxy requires a line of sight domain controller so you will need to have Azure AD domain services setup. So essentially Setup Azure AD domain services (you will get managed domain controller by this way ) and then setup a Virtual machine and join it to AAD domain services instance and then download the AAD app proxy agent on the server and configure it . I have linked the articles and would suggest you to read the same and try it in a test environment. AAD premium license needed as well. Hope this helps.
Frank Special 1 Reputation point

2021-03-30T15:54:39.633+00:00

Dear @ShashiShailaj-MSFT

Can you tell me if Azure AD app proxy will work for IIS SSO if the proxy server is deployed in the same subnet as our DCs in our Azure tenant without Azure AD domain services?

Our current setup is cloud only which includes (2) DCs, and AD Connect server and IIS servers. Our users utilize the Azure VPN to connect and authenticate. We would like to deploy SSO so they would not be required to authenticate to the IIS applications a second time.

Thanks
Dorababu Meka 96 Reputation points

2021-10-09T18:03:16.01+00:00

I have similar issue can some one look into https://learn.microsoft.com/en-us/answers/questions/572631/azure-ad-authentication-publicclientapplication-bu.html
Jai Verma 451 Reputation points

2021-10-09T18:18:35.353+00:00

Dear @Frank Special - The setup you describe should work just fine. Please see this URL, exact same setup is described.

https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy

Windows IIS integration with Azure AD

0 additional answers

Activity