Posted in AZ-500 Azure Security Engineer Associate, Azure Administrator, Azure Security Engineer, Azure Solutions Architect, MS Cyber Security Architect Expert

Microsoft Entra Application Proxy

   November 1, 2024

Microsoft Entra Application Proxy is a feature within Microsoft Entra (formerly known as Azure Active Directory) that allows you to provide secure, remote access to on-premises applications without needing to change your network infrastructure or open any inbound firewall ports. Here’s an in-depth look at Entra Application Proxy, including its core concepts, features, functions, and a step-by-step guide on setting it up, configuring, managing, and monitoring it, with examples.

1. Overview of Microsoft Entra Application Proxy

The Entra Application Proxy service acts as a bridge between your on-premises applications and users outside your network. Users can access internal applications through a secure, remote access method, all while maintaining compliance with your organization’s security requirements.

Key Use Cases for Entra Application Proxy:

  • Accessing internal web applications without a VPN.
  • Enabling secure access to applications that don’t support modern authentication.
  • Implementing conditional access policies for on-premises apps.
  • Supporting Single Sign-On (SSO) for legacy applications.

2. Core Concepts and Features

Here are some essential components and concepts:

  • Connector: The Entra Application Proxy Connector is an agent installed on a Windows Server in your internal network. It securely communicates with Entra to enable access to internal applications.
  • Application Proxy: The service within Microsoft Entra that enables secure remote access by managing traffic between users and the on-premises app.
  • External URL: The URL used by external users to access the application. Entra Application Proxy generates this URL.
  • Internal URL: The URL for the on-premises application, which users access through the connector.
  • Pre-Authentication: Before accessing an app, users need to authenticate. You can use either Azure AD authentication (recommended for added security) or pass-through authentication.
  • Conditional Access Policies: Entra allows you to apply policies for additional security based on factors like user location, device compliance, and application sensitivity.

3. Step-by-Step Guide to Setting Up Entra Application Proxy

Let’s walk through each phase in setting up and configuring Entra Application Proxy:

Step 1: Verify Licensing Requirements

To use Entra Application Proxy, ensure that your organization has at least one of the following licenses:

  • Microsoft Entra ID Premium P1 or P2 (previously known as Azure AD Premium P1 or P2)
  • Enterprise Mobility + Security E3 or E5

Step 2: Install the Application Proxy Connector

  1. Download the Connector: In the Microsoft Entra Admin Center, go to Azure Active Directory > Application Proxy > Download Connector.
  2. Install the Connector: Install the connector on a Windows Server machine within your internal network. During installation, sign in with your Entra admin credentials, and the connector will register with your directory.
  3. Verify Connectivity: Ensure the connector has outbound HTTPS access to Microsoft Entra (ports 80 and 443), and no inbound connections are needed.

Step 3: Register the On-Premises Application

  1. Create a New Application Proxy: Go to Azure Active Directory > Enterprise applications > Application Proxy and select Configure an app.
  2. Add the Application Details:
  • Internal URL: Enter the URL of your on-premises application (e.g., http://myapp.local).
  • External URL: Automatically generated based on your settings, but you can customize it.
  • Pre-Authentication: Choose “Azure AD” (recommended) for added security.
  1. Assign User Access: Select users or groups who will have access to this application.

Step 4: Configure Single Sign-On (SSO) and Conditional Access

  1. Configure SSO: Navigate to the application settings, select Single sign-on, and configure the appropriate settings based on your application’s authentication method. Entra Application Proxy supports multiple SSO methods:
  • Password-based SSO
  • Integrated Windows Authentication (IWA)
  • Header-based SSO
  • SAML-based SSO
  1. Set Up Conditional Access: Go to Azure Active Directory > Security > Conditional Access. Create a policy to enforce conditions, such as multi-factor authentication or location-based restrictions.

Step 5: Test and Verify Access

  1. Access the External URL: Open a browser on a device outside your network and access the application using the External URL. You should be prompted for Entra (Azure AD) authentication.
  2. Verify SSO and Policies: Ensure that users are logged in automatically (if configured) and that conditional access policies are enforced as expected.

4. Management and Monitoring

Entra Application Proxy provides multiple ways to manage and monitor your application access:

Managing Access

  • Update User Access: You can add or remove users or groups from the application by going to Enterprise applications > Your Application > Users and groups.
  • Modify Application Settings: Adjust the application’s internal or external URLs, SSO configuration, and authentication requirements under Application settings.

Monitoring Access and Usage

Microsoft Entra provides detailed monitoring capabilities for Application Proxy usage:

  1. Access Reports: Go to Azure Active Directory > Enterprise applications > Activity. Access reports for sign-ins and usage patterns, where you can review login attempts, successful and failed sign-ins, and user activity.
  2. Application Proxy Connector Health: Check the status of your connectors under Azure Active Directory > Application Proxy > Connectors. Ensure that each connector shows “Connected” status.
  3. Audit Logs and Alerts: Use the Audit logs feature to track configuration changes and access attempts. Set up alerts for unusual activity or when connectors go offline.

5. Working and Usage Examples

Example 1: Accessing a Legacy Web App

Suppose your organization has an internal legacy app that uses HTTP (not HTTPS) and Integrated Windows Authentication. By using Entra Application Proxy, you can make this app accessible externally and enforce modern security policies without modifying the app itself.

  • Configure Application Proxy with the app’s internal HTTP URL.
  • Enable IWA SSO to allow users to sign in with their Entra credentials.
  • Apply Conditional Access to restrict access to specific locations or enforce MFA.

Now, external users can access this app securely via the External URL, and your organization benefits from centralized security and monitoring.

Example 2: Enforcing Multi-Factor Authentication (MFA) for Sensitive Apps

If you have an HR application with sensitive employee data, you may want to enforce MFA to protect against unauthorized access.

  • Configure Application Proxy for the HR app, setting up pre-authentication via Azure AD.
  • Create a Conditional Access Policy specifically for the HR app, requiring MFA for all users, regardless of location.

This setup ensures that any user accessing the HR app from outside your network is prompted for additional authentication steps, safeguarding sensitive information.

Example 3: Monitoring Application Access

To regularly review access patterns to your applications:

  • Set up Sign-in reports to view login trends and analyze any unusual behavior.
  • Use Connector health reports to proactively monitor and address connectivity issues before users are affected.
  • Audit logs enable you to track administrative actions, ensuring that any changes to app configurations or user permissions are logged for accountability.

6. Best Practices for Entra Application Proxy

  • Use Azure AD Pre-Authentication: This provides the most secure method of access by validating users against Entra before they reach the app.
  • Apply Conditional Access Policies Judiciously: These can prevent unauthorized access and reduce risks by enforcing additional authentication or location requirements.
  • Regularly Monitor Access and Connector Health: Regularly check sign-in logs and connector status to catch any issues early.
  • Secure Application URLs: Ensure that internal application URLs do not expose sensitive information and that external URLs use HTTPS.

Microsoft Entra Application Proxy enables secure, flexible remote access to on-premises applications, with robust authentication, conditional access, and monitoring capabilities. By following the steps outlined above, you can configure and manage Entra Application Proxy to meet your organization’s security and accessibility needs without compromising on convenience or security.

Share: XFacebookPinterestLinkedin
Author: tonyhughes