Create an application proxy in Azure for Work Folders



We have implemented Work Folders in a previous article, test its integration internally, everything works perfectly, that's good, but now I would like it to also work from the outside, including on my Android smartphone and let's go crazy also on the iPad at home (a article will come soon for these 2 devices).


  • A basic or premium Microsoft Azure AD subscription and an Azure AD directory for which you are a global administrator.
  • An Active Directory forest with Windows Server 2012 R2 schema extensions minimum.
  • Your on-premises Active Directory user accounts are synchronized with Azure AD using Azure AD Connect.
  • A Work Folders server running Windows Server 2012 R2 or higher.
  • A server running Windows Server 2012 R2 or later on which you can install the Application Proxy connector.
  • A Windows 10 client 1703 version, Android or iOS.

Creating the Application Proxy in Azure AD

1. Sign in to Azure with a global administrator account.
2. Go in Azure Active Directory > Enterprise applications.

3. Click on New application.

4. Click on All > Local application > Download the Application Proxy connector and Accept the terms of use and download.

5. Install the connector Microsoft Azure Active Directory Proxy Application.

6. Log in with your Azure account when requested.

5. Click on I finished the installation.

7. Add your local app:

  • Name: Name of your application (for identification).
  • Internal URL: The internal URL of your Work Folder server (for example: workfolders.domain.lan).
  • External URL: The URL is automatically populated by the name of your application.
  • Pre Authentication: Azure Active Directory.
  • Main application expiration: By default.
  • Translate URLs in Headers: Yes.

PS: If you don't have the buttons Add et Ignoreis that you have not installed the connector 😉

8. Click on the name of theProxy application created> Click on Users and groups > Add User and add groups or users who will be able to log in to Work Folders.

How the Proxy Application Connector works

  1. Login in the portal Azure > Azure Active Directory -> Application proxy.
  2. If all goes well, we should have the name of the server where the connector is installed, are external IP, as well as its status.

Create the native app in Azure AD

  1. Login in the portal Azure > Azure Active Directory -> Application Registration.

2. Create a new application:
Name: Application name, for example: Native Work Folders
Type of application: Native
URedirect RI: https://168f3ee4-63fc-4723-a61a-6473f6cb515c/redir

3. Then click on Parameters.

4. Click on Redirection URI and enter the following URIs:

  • x-msauth-msworkfolders: //
  • msauth://
  • ms-appx-web: //microsoft.aad.brokerplugin/*
    Replace * with the ID of the application that is listed for the Work Folders Nati applicationf

5. Click on Authorizations required, then click on Windows Azure Active Directory.

6. Activate permissions following and click on Save:

  • Sign in and read user profile
  • Access the directory as the signed-in user

7. Under Required permissions, click on Add > Select an API > Windows Azure Service Management API.

8. Allow access to Azure Service Management as organization and click on Select, then click Completed.

9. Always under Required permissions, click on Add > Select an API > Search for Work Folder or the name of the Proxy application created previously.

10. Activate the authorization to Work Folder.

11. If everything is well configured we should have this:

Create an SPN for the server that contains Work Folders

  1. On a cdomain controller, open a order guest as administrator.
  2. Enter the following command by confirming with Starter:
    setspn -S http / workfolders.domain.lan servername

    workfolders.domain.lan = to the internal URL of the application proxy for Work Folders.

Configure Restricted Delegation for the Application Proxy Connector Server

  1. On a domain controller, open Active Directory Users and Computers.
  2. Locate the computer on which the connector is running.
  3. Double-click the computer, then click the Delegation tab.
  4. Select Trust this computer for delegation to specified services only, and then select Use any authentication protocol.
  5. Click Add, click Users or Computers, enter the name of the Work Folders server, and click OK.
  6. In the Add Services window, select the created SPN and click OK.
  7. Verify that the SPN has been added and click OK.


Steven Bart

Founder of - Vevey, Switzerland. I have been in IT since 2001, I work as a Workplace Architect and mainly deal with the administration of MEMCM (SCCM), the mass deployment of workstations and applications. Learn more about me.

    2 thoughts on “Create an application proxy in Azure for Work Folders"

      • Hello,
        This blog is primarily written in English, but the fact that some screenshots are in English, does not pose a problem


    Leave a comment

    Your email address will not be published. Required fields are marked with *