In this section, we will illustrate how you can provide on-premise application access for guest users. We have already published the Kerberos Demo Web App through the Azure AD Application Proxy, and you have seen the application in the Azure AD Access Panel UI as a guest user. 

With the integration of the web application proxy and the Azure AD Application Proxy, you will receive the following features and capabilities:

1. End user portal: The Azure Access panel at https://myapps.microsoft.com.
2. The Azure AD authentication capabilities are as follows:
   • Usernames and passwords synced from on-premise AD DS
   • Federated login to on-premise or other federation servers
   • MFA
   • Customized login screen
   • Authorization based on the user or groups
   • SSO to Office 365, thousands of SaaS applications, and all applications integrated with Azure AD.
3. Reports, auditing, and security monitoring are based on big data and machine learning.
4. All HTTPS traffic is terminated in the cloud, blocking most HTTP-level attacks.
5. Unauthenticated traffic is filtered in the cloud, and will not arrive on-premise.
6. There are no incoming connections to the corporate network—only outgoing connections to the Azure AD application proxy service.
7. Internet-facing services are always up to date with the latest security patches and server upgrades.
8. There is login abnormality detection, reporting, and auditing by Azure AD.
9. Providing SSO experience from Azure AD to on-premise applications.
10. Connectors use the Azure AD token data to impersonate the end user to the backend applications using Kerberos Constrained Delegation (KCD).
11. There is support for any application that uses Integrated Windows Authentication (IWA), such as SharePoint, Outlook Web Access, and Microsoft Dynamics CRM.

12. There is no need to change the backend applications.
13. There is no need to install agents on backend applications.
14. There is no need to expose on-premise applications directly to the internet.

The following diagram shows the architecture:

In the case of guest user access, the Azure AD application proxy just checks that the userPrincipalName exists in the on-premise Active Directory.

To configure the access for guest users, we will use the following procedure:

1. Log in to your Domain Controller YD1ADS01 as a domain administrator.
2. Open a PowerShell and connect to your Azure AD, as follows:

Connect-AzureAD

3. Get all guest users, as follows:

Get-AzureADUser -Filter "UserType eq 'Guest'"

4. The following screenshot shows the output:

5. Now, we need to add the UPN-suffix @yourdomain1.onmicrosoft.onmicrosoft.com to the UPN suffixes of your Active Directory environment.
6. Use the domain.msc console for it; right-click on Active Directory Domains and Trusts and choose Properties.
7. Add your suffix, as follows:

8. Next, we need to create our guest user in our local Active Directory.
9. Open the console dsa.msc Active Directory Users and Computers.
10. Create an Organizational Unit called Managed External Business Objects, as follows:

11. Create the user, as follows:
    • jenny.green_leano.ch#EXT#
    • @181031inovitdemos.onmicrosoft.com
    • BG00001:

12. You don't need to remember the password, because it's not needed.
13. The Azure AD will authenticate the user.
14. Now, assign the user to the Kerberos Demo Web App Access group in the Azure AD, as follows:

15. Now, you can test the solution with Jenny Green at https://myapps.microsoft.com.
16. Change the organization to INOVITDEMOS.
17. Click on the Kerberos app.
18. You should see a successful login, as follows:

To automate and extend this solution, you can use Microsoft Identity Manager 2016 or the provided PowerShell solution. You can get information about this approach on Azure AD B2B collaboration with Microsoft Identity Manager (MIM) 2016 SP1, with Azure application proxy, at the following sources:

• https://docs.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-2016-graph-b2b-scenario#b2b-end-to-end-deployment-example-scenarios
• https://www.microsoft.com/en-us/download/details.aspx?id=51495

In this section, we handled various use cases to provide an identity life cycle for guest users. In the next part, we will give some tips on how you can get more comfortable in your environment.