Introduction
With the rise of remote work and cloud-based applications, organizations need secure and efficient ways to provide access to internal applications. Azure Application Proxy is a lightweight, cloud-based solution that allows users to access on-premises applications securely from anywhere without a VPN.
This blog will cover:
✅ What is Azure App Proxy?
✅ How it works
✅ Prerequisites for deployment
✅ Step-by-step setup using Azure Portal & PowerShell
✅ Best practices for security & performance
🔹 What is Azure Application Proxy?
Azure Application Proxy is a cloud-based service in Microsoft Entra ID (formerly Azure AD) that provides secure remote access to on-premises web applications.
✔ No VPN required – Reduces complexity & costs
✔ Single Sign-On (SSO) – Seamless authentication via Entra ID
✔ Secure & Scalable – Uses reverse proxy architecture
✔ Conditional Access Support – Controls access based on risk level
💡 Common Use Cases
🔹 Access legacy web apps from any device
🔹 Provide secure extranet access for partners
🔹 Replace traditional VPNs for application access
🔹 Enable remote access to intranet apps
🔹 How Does Azure App Proxy Work?
Azure App Proxy consists of two main components:
- Application Proxy Service (Cloud-based)
- Runs in Azure
- Authenticates users via Entra ID
- Sends requests to the on-premises connector
- Application Proxy Connector (On-Premises Agent)
- Installed inside the corporate network
- Forwards authenticated requests to internal applications
- Uses outbound traffic only (no firewall holes needed)
📌 Architecture Flow
1️⃣ User accesses app-protected URL
2️⃣ Azure App Proxy authenticates the user via Entra ID
3️⃣ Request is forwarded to the on-premises App Proxy Connector
4️⃣ Connector retrieves the response & sends it back via Azure Proxy
🔹 Prerequisites
Before deploying Azure App Proxy, ensure:
✅ Microsoft Entra ID (Azure AD) P1 or P2 license
✅ An on-premises Windows Server (2016+) to install the connector
✅ Outbound internet access on the connector server
✅ Domain-joined or cloud-hybrid environment (if using SSO)
✅ App must use HTTP/HTTPS (No TCP/UDP apps)
🛠️ Deploying Azure App Proxy
🔹 Step 1: Install Application Proxy Connector
📌 Run the following PowerShell command on your Windows Server:
powershellCopyEditInvoke-WebRequest -Uri https://aka.ms/aadappproxy -OutFile "AADAppProxyInstaller.exe"
Start-Process "AADAppProxyInstaller.exe" -ArgumentList "/quiet" -Wait
👉 Sign in with Global Admin credentials to register the connector.
Verify that the connector is running:
powershellCopyEditGet-Service | Where-Object { $_.DisplayName -match "Application Proxy Connector" }
🔹 Step 2: Register the Application in Azure
1️⃣ Sign into the Azure Portal
2️⃣ Go to Microsoft Entra ID → Enterprise Applications
3️⃣ Click New Application → On-premises Application
4️⃣ Set External URL (e.g., https://app.jetmariano.us)
5️⃣ Set Internal URL (e.g., http://internal-app-server.local)
6️⃣ Choose Pre-authentication method:
✔ Azure AD (Recommended) – Uses SSO & Conditional Access
✔ Passthrough – No authentication (use only if required)
🔹 Step 3: Configure Single Sign-On (SSO) (Optional)
If using SSO with Kerberos, configure:
powershellCopyEditSet-WebApplicationProxyApplication -Name "InternalApp" -BackendApplicationUrl "http://internal-app.local" -ExternalApplicationUrl "https://app.jetmariano.us" -ConnectorGroupID "ConnectorGroup1" -SSOType "KerberosConstrainedDelegation"
✅ This allows seamless authentication without repeated login prompts.
🔹 Step 4: Test & Secure the Application
🔹 Access your external URL and verify that it works.
🔹 Enable Conditional Access for added security.
🔹 Restrict access based on device compliance, location, MFA, etc.
🔒 Best Practices for Azure App Proxy
✔ Use Azure AD Pre-authentication – Avoid exposing internal apps
✔ Enable Conditional Access – Enforce MFA & compliance policies
✔ Monitor access logs – Track login attempts & potential threats
✔ Use HTTPS for internal apps – Encrypt traffic end-to-end
✔ Scale with multiple connectors – Ensure redundancy & load balancing
✅ Conclusion
Azure Application Proxy modernizes remote access by eliminating VPN dependencies and enhancing security with Azure AD SSO & Conditional Access.
🚀 Next Steps:
🔹 Explore Hybrid Azure AD Join for better identity management
🔹 Implement Privileged Access Management (PAM) for sensitive apps
🔹 Set up Azure AD Identity Protection to detect risk-based sign-ins
🔹 Have you implemented Azure App Proxy? Share your experience below! 💬