What is Application Proxy
Microsoft Entra Application Proxy enables secure remote access to on-premises web applications. It consists of:
The Application Proxy service in the cloud.
The Application Proxy connector on an on-premises server.
Together, they securely pass authentication tokens from Microsoft Entra ID to the on-premises application.
When to use Application Proxy
Application Proxy is designed for remote users accessing internal applications. It replaces the need for VPNs or reverse proxies in many scenarios.
Integrated Windows Authentication.
Form-based and header-based authentication.
Web APIs.
Apps behind Remote Desktop Gateway.
Rich client apps using MSAL.
It is not recommended for internal users on the corporate network, as unnecessary use can cause performance issues.
How Application Proxy works
The user accesses the application URL.
The user is redirected to Microsoft Entra ID for authentication.
After successful sign-in, Microsoft Entra ID issues a token.
The client sends the token to the Application Proxy service.
The service extracts the UPN and SPN and forwards the request to the connector.
The connector performs any additional authentication warning on behalf of the user.
The connector sends the request to the on-premises application.
The response flows back through the connector and service to the user.