Publishing WorkZone Web services in Azure Application Proxy

These steps should be performed by someone with MicrosoftEntra ID (previously Azure Active Directory) admin rights and knowledge.

Prerequisite:

  • Microsoft Entra Private Network is set up with connectors to the internal WorkZone installation.
  • The necessary rights are set up.
  • The internal on-premises domain is synced with the Entra ID.
  • Public SSL certificate for the external WorkZone URL.
  • Internal WorkZone is configured with a working Service Principal Name (SPN) for Single Sign-on (SSO). See Microsoft articles: Plan a single sign-on deployment (specifically, the section about Integrated Windows Authentication (IWA)) and Kerberos-based single sign-on (SSO) in Microsoft Entra ID with application proxy.
  1. Log in to the Azure portal.
  2. Under Manage Microsoft Entra ID, click View.

Create new app registration for WorkZone app proxy

  1. Under Manage, click Application proxy > Configure an app.
  2. In the Basic tab, specify the following settings:
    • Name: Enter a name for your WorkZone Mobile app.
    • Internal Url: Enter the internal URL to access WorkZone from inside your network. The URL must match the external URL.
    • External Url: Enter the external URL to access WorkZone from outside your network. The URL must match the internal URL.

      Prerequisite:

      Create the CNAME record in the DNS for the WorkZone URL to point at the App Proxy. Use the following syntax: "CNAME [workzoneurl]->[workzonehostname]-[tenantdomain].msappproxy.net". For example: CNAME test.workzone-rd.dk -> test-wzmintuneworkzonerd.msappproxy.net.

    • Pre Authentication: Microsoft Entra ID.
    • Connector Group: Select your proxy connector group.
      Important: It is highly recommended to add at least 2 connectors.
  3. Switch to the Advanced tab, and specify the following settings:
    • Backend Application Timeout: Default
    • Use Http-Only Cookie: No
    • Use Persistent Cookie: No
    • Translate Urls in headers: No
    • Translate Urls in application body: No
    • Validate Backend SSL certificate: Yes
  4. Click Create.

Add SSL certificate

After you have created a WorkZone App Proxy registration, you can add SSL certificate.

Important: It must be a public valid certificate. Private certificate is not supported and will result in general authentication errors in the WorkZone Mobile app.
  1. In the Entra ID admin center, go to Manage > Enterprise applications.
  2. Select and click your WorkZone Mobile app from the list.
  3. Under Manage, click Application proxy.
  4. On the Properties page, next to SSL certificate, click Add SSL Certificate and upload the SSL certificate used by WorkZone Mobile app.

Enable users to sign in

  1. From the Home page of the Entra ID admin center, click Manage > Enterprise applications > All applications.
  2. Select your WorkZone Mobile app.
  3. On the Properties page, specify the following settings:
    • Enabled for users to sign-in?: Yes
    • Assignment required?: Yes.
  4. Click Save.
  5. Under Manage, click Users and groups.
  6. Click Add user/group to assign users or groups of users that will have access to WorkZone Mobile.
  7. Select relevant users or user groups, and click Select.
  8. Click Assign.
  9. Under Manage, click Single sign-on.
  10. Select Windows Integrated Authentication for applications that use IWA, or for claims-aware applications. For more information, see Kerberos-based single sign-on (SSO) in Microsoft Entra ID with application proxy Microsoft article.
  11. Specify the following settings:
    • Internal Application SPN: enter SPN registered for the internal WorkZone installation in the following format "HTTP/[workzone_hostname]".
    • Delegated Login Identity: On-premises SAM account name.
  12. Click Save.