This guide walks you through the complete installation and initial setup of Azure DevOps Server 2020 with Azure Application Proxy integration.
- Active Azure subscription
- Azure Active Directory tenant
- Global Administrator permissions in Azure AD
- Azure Application Proxy license (included with Azure AD Premium P1/P2)
- Azure DevOps Server 2020 installed and configured
- Windows Server 2016 or later for Application Proxy Connector
- Internet connectivity from connector server
- SSL certificate for external domain
- Domain Administrator privileges
- Sign in to the Azure portal as a Global Administrator
- Navigate to Azure Active Directory > Application proxy
- Download the Application Proxy Connector Service
- Run the installer on your on-premises server (preferably not on the Azure DevOps Server itself)
- During installation, sign in with your Azure AD Global Administrator account
- The connector will automatically register with your Azure AD tenant
- Verify the connector appears as "Active" in the Azure portal
- In Azure portal, go to Azure Active Directory > Enterprise applications
- Click New application > On-premises application
- Configure the following settings:
- Name: Azure DevOps Server 2020
- Internal URL:
https://your-devops-server.local:8080/tfs/ - External URL:
https://devops-external.yourdomain.com/ - Pre Authentication: Azure Active Directory
- Connector Group: Default (or create specific group)
- Upload your SSL certificate in the Azure portal
- Ensure the certificate matches your external domain
- Configure certificate binding in IIS on Azure DevOps Server
- Open Azure DevOps Server Administration Console
- Navigate to Application Tier > Change URLs
- Update the Notification URL to match your external URL
- Update any webhook URLs to use the external domain
- In Azure DevOps Server Admin Console, go to Access Levels
- Ensure Azure AD users have appropriate access levels
- Configure group membership synchronization if needed
Service Principal Names are required for Kerberos authentication with Azure Application Proxy.
-
Using PowerShell Script (Recommended)
# Configure SPNs for computer account ./scripts/powershell/configure-spn.ps1 ` -ServiceAccount "DOMAIN\COMPUTERNAME$" ` -ExternalDomain "devops.company.com" ` -InternalDomain "tfsserver.company.local" ` -Ports @(80, 443) ` -ConfigureDelegation ` -TestSPN # Configure SPNs for dedicated service account ./scripts/powershell/configure-spn.ps1 ` -ServiceAccount "DOMAIN\svc-tfs-web" ` -ExternalDomain "devops.company.com" ` -InternalDomain "tfsserver.company.local" ` -Ports @(8080, 443) ` -TfsServiceAccount "DOMAIN\svc-tfs-app" ` -ConfigureDelegation ` -TestSPN
-
Using Batch Script (Alternative)
# Run interactive configuration scripts\configure-spn.bat # Or with parameters scripts\configure-spn.bat "DOMAIN\ServiceAccount" "external.domain.com" "internal.domain.local" "80 443" "n" "y"
If you prefer manual configuration:
-
Check existing SPNs
setspn -L DOMAIN\ServiceAccount -
Add required SPNs
# For external domain (Application Proxy URL) setspn -A HTTP/devops.company.com DOMAIN\ServiceAccount setspn -A HTTP/devops.company.com:443 DOMAIN\ServiceAccount # For internal domain (TFS server) setspn -A HTTP/tfsserver.company.local DOMAIN\ServiceAccount setspn -A HTTP/tfsserver.company.local:8080 DOMAIN\ServiceAccount
-
Verify SPN registration
setspn -Q HTTP/devops.company.com
- Computer Account: Use
DOMAIN\COMPUTERNAME$for simplicity - Dedicated Service Account: Use
DOMAIN\svc-account-namefor better security - Network Service: Not recommended for production environments
- Create a CNAME record pointing your external domain to the Azure Application Proxy service
- Ensure internal DNS resolves the Azure DevOps Server correctly
- Test DNS resolution from both internal and external networks
- Outbound from Connector Server:
- HTTPS (443) to Azure endpoints
- HTTP (80) for certificate validation
- Inbound to Azure DevOps Server:
- HTTPS (443/8080) from connector server
- Standard Azure DevOps ports
- Verify Azure DevOps Server is accessible internally
- Test user authentication with domain accounts
- Verify all features work correctly
- Access Azure DevOps using the external URL
- Test Azure AD authentication
- Verify Git operations work externally
- Test Visual Studio connectivity
- In Azure portal, go to your Application Proxy application
- Navigate to Users and groups
- Assign appropriate users or groups
- Configure user access policies
- Set up SAML-based SSO if required
- Test SSO functionality
- Configure any custom claims needed
- Connector not appearing as Active: Check internet connectivity and firewall rules
- Authentication failures: Verify Azure AD configuration and user assignments
- SSL certificate errors: Ensure certificate is properly installed and matches domain
- Internal URL not accessible: Check Azure DevOps Server configuration and networking
- Verify connector status in Azure portal
- Test internal URL accessibility from connector server
- Validate SSL certificate chain
- Check Azure AD user assignments
- Test external URL accessibility
After successful installation:
- Follow the Configuration Guide for advanced settings
- Review Security Considerations
- Set up monitoring and logging
- Train users on external access procedures
- Azure Application Proxy documentation
- Azure DevOps Server documentation
- Azure AD troubleshooting guides
- Microsoft Support if issues persist