Home
IT Hub
Microsoft Entra ID Application Proxy Setup and Best Practices
Microsoft

Microsoft Entra ID Application Proxy Setup and Best Practices

Reco Security Experts
Updated
July 27, 2025
July 27, 2025

Microsoft Entra ID Application Proxy securely extends access for people to internal web applications without exposing the rest of your network to the Internet. It acts as a reverse proxy service and is especially useful for organizations with both on-premises and cloud-based systems or for organizations still on their cloud journey. The proxy service can extend access to web applications, as well as some client-server applications, supporting Microsoft’s identity and access capabilities. This article walks through how to set up Microsoft Entra ID Application Proxy, optimize its configuration, and apply real-world best practices for secure and reliable operation.

How Microsoft Entra ID Application Proxy Works

Microsoft Entra ID Application Proxy has two main components:

  • Connector: Installed on-premises, it initiates outbound TLS connections to Azure and polls for incoming traffic. It does not require any inbound ports to be opened on your firewall.

  • Cloud Service: Hosted in Azure, this accepts external requests and forwards them to the appropriate connector, which then accesses the internal application. The cloud front end also leverages Azure’s built-in DDoS protection and analytics.

User authentication is performed by Microsoft Entra ID before any internal application access is granted. If authentication is successful, the request is routed through the connector to the internal application. This setup allows you to leverage all Microsoft AD capabilities like Conditional Access, Single Sign-On, and Multi-Factor Authentication.

Security Benefits of Microsoft Entra ID Application Proxy

Microsoft Entra ID Application Proxy strengthens your security posture by enforcing strict access controls and minimizing the attack surface. Key benefits include:

  • User Authentication Before Proxy Access: Every request is authenticated by Microsoft Entra ID before it even reaches your internal network, reducing exposure to anonymous or unauthorized traffic.

  • Outbound-Only Network Traffic: The connector initiates all communication to Azure, which means no inbound firewall ports need to be opened, lowering the risk of external attacks.

  • Built-in Azure DDoS Protection and Analytics: The proxy service benefits from Microsoft’s DDoS mitigation infrastructure, ensuring resilience under attack, along with access to analytics for usage and security insights.

Setting Up Microsoft Entra ID Application Proxy

Setting up the proxy involves four main steps: enabling the service, installing the connector, publishing the application, and configuring DNS and certificates. Below, we walk through each step.

Step 1: Enable the Application Proxy Service

  1. Go to the Microsoft Entra admin center.
  2. Navigate to Applications > Application Proxy.
  3. Click Enable Application Proxy.

This enables the cloud service component in your tenant.

Step 2: Install the Application Proxy Connector

  1. Install the connector on a Windows Server 2016+ machine that has access to the internal app. Ensure the machine has internet access and meets the required prerequisites.
  2. When prompted, sign in as a Global Admin or Application Admin, as these roles suffice to register connectors. This is required to register the connector with Microsoft Entra ID.
  3. You can (and should) install multiple connectors to handle load and provide high availability. Microsoft Entra Application Proxy automatically load-balances traffic across
    available connectors.

Step 3: Publish Your Application

  1. Navigate to Enterprise Applications > New Application.
  2. Choose an on-premises application.
  3. Set the internal URL (e.g., http://hr-app.internal) and an external URL (e.g., https://hr-app-contoso.msappproxy.net).
  4. Choose an authentication method:
    • Microsoft Entra ID (recommended)
    • Passthrough (no authentication in Azure)

For SSO, configure Kerberos Constrained Delegation (KCD) or use the Header-based Authentication Connector if your internal app requires specific HTTP headers for authentication.

Diagram of Microsoft Entra ID and AppProxy architecture showing user authentication and HTTP request flow to on-premises app server.

Secure external access to on-premises applications using Microsoft Entra ID Application Proxy with authentication, token issuance, and connector routing.

Step 4: Configure Custom Domain and SSL Certificate

Microsoft issues a default external URL ending in msappproxy.net. For a better user experience and branding, you can use a custom domain that is verified in your Microsoft Entra tenant, along with a valid SSL certificate.

Also, update your public DNS records to point the custom domain to the Application Proxy service.

License Requirements

Microsoft Entra Application Proxy requires a Microsoft Entra ID P1 or P2 license. Ensure your tenant includes the necessary license tier before proceeding with connector registration or application publishing.

Monitoring Connector Status

Use PowerShell or Microsoft Graph to check connector health and availability. If any connector shows as inactive, you should investigate immediately.
In addition, Application Proxy connectors are self-updating. Updates are automatically downloaded and applied to ensure stability, compatibility, and security—no manual intervention is needed.

To monitor connector health and version status:

  • Use PowerShell scripts to query installed connector versions.
  • Leverage the Microsoft Graph API to track connector status, last check-in time, and software version.
  • Review connector diagnostics through the Entra admin center > Application Proxy > Connectors view.

Regularly checking connector health ensures that outdated or inactive instances do not introduce reliability gaps.

Best Practices for Secure and Efficient Setup

Once the setup is complete, you should apply hardening and monitoring best practices to ensure security, performance, and maintainability.

Always Use Microsoft Entra ID Pre-Authentication

Microsoft Entra ID pre-authentication validates users before allowing them to access internal applications. Avoid Passthrough unless there's a strong reason, such as apps requiring anonymous access.

Configure Conditional Access Policies

Microsoft Entra ID Application Proxy fully supports Conditional Access, allowing you to apply identity-based policies before access is granted to internal apps. Use Conditional Access to apply rules based on user, device, location, and risk. Examples include:

  • Require MFA for all users accessing apps from outside the corporate network.
  • Block access from unsupported countries or unknown IP addresses.
  • Enforce compliant devices for sensitive apps.

Set Up Logging and Monitoring

Enable diagnostic settings to send logs to Log Analytics, Event Hubs, or Storage Accounts. Monitor authentication requests, traffic patterns, and failures.

This helps you detect repeated failures, which could indicate misconfigurations or brute force attempts.

Use Multiple Connectors for High Availability

Deploy at least two connectors in different network segments or physical servers. Azure automatically uses healthy connectors in a group to distribute requests. Use connector groups to map specific applications to specific connectors if segmentation is needed.

For production environments, deploy connector groups across multiple regions or network segments to improve resilience. Application Proxy automatically uses session affinity to maintain user sessions through the same connector. Distributing connectors geographically can reduce latency and avoid single points of failure.

Disable Unused Protocols and Legacy Authentication

Ensure legacy protocols like NTLM are disabled on the internal application. Application Proxy will forward the request as-is, so protocol hardening must occur on the backend.

Restrict Who Can Manage Application Proxy Settings

Use RBAC (Role-Based Access Control) to limit who can register connectors, publish apps, or modify settings. Avoid giving Global Admin rights to routine app managers.

Advanced Scenarios

You can also extend the proxy setup with advanced configurations:

  • Header-based Authentication: Useful for apps that require specific HTTP headers for authentication.
  • Authentication Contexts: Use Conditional Access to assign stronger policies to apps that handle PII or financial data.
  • Custom Connectors: Deploy connectors in isolated environments (e.g., VDI or DMZ) for compliance.

These advanced capabilities allow you to align Application Proxy with more complex identity strategies.

Insight by
Dvir Shimon Sasson
Director of Security Research at Reco

Dvir is a Professional Mountains Mover, Dynamic and experienced cybersecurity specialist capable in technical cyber activities and strategic governance.

Expert Insight: Proactive Security Tactics for Entra ID Admins


Even with a secure proxy setup, the surrounding Microsoft 365 environment plays a crucial role in minimizing identity risk. These advanced practices help admins strengthen access governance, harden unused services, and gain deeper visibility into their security posture:

  • Just-in-Time Access with PIM:/ Reduce standing access by using time-bound, approval-based elevation for all admin roles—even read-only ones.
  • Disable Unused Services: If you’re not using SharePoint or Yammer, disable or restrict them; attackers often exploit dormant services.
  • CA Policy Analytics Preview: Test policy changes before deployment using Conditional Access Insights & Reporting.
  • Advanced Hunting Queries: Use Microsoft 365 Defender’s advanced hunting to write KQL queries across email, identity, and device signals.
  • App Governance Add-on: Monitor risky app behaviors and enforce governance over OAuth apps with this underused but powerful add-on.

Conclusion

Microsoft Entra ID Application Proxy provides a safe and efficient method of publishing internal web applications for external users. Remote access is easily simplified through existing identity infrastructure while keeping the internal network safe with no inbound connections.

By following best practices such as enabling pre-authentication, deploying multiple connectors, and integrating Conditional Access, organizations can provide a reliable and secure remote-user experience. Mature scenarios would welcome telemetry and fine-grained access controls to control risk and ensure compliance.

No items found.
How Workday Orchestrate Transforms Enterprise Workflow Automation
Workday Orchestrate is a powerful capability that enables organizations to automate and streamline complex business processes across systems, departments, and teams. It allows enterprises to build, execute, and monitor end-to-end workflows within Workday and beyond, using a no-code/low-code visual designer.
Salesforce AI Certification Path and Preparation Tips
Salesforce has two focused certifications to help professionals demonstrate their knowledge in AI: the Salesforce AI Associate and the Salesforce Certified Agentforce Specialist.
Is Zoom HIPAA Compliant? A Comprehensive Guide for Healthcare Professionals
Doctors, therapists, and medical staff often use platforms like Zoom to communicate with patients. But when personal health information is involved, there are strict rules to follow. One of the most important sets of rules is called HIPAA: Health Insurance Portability and Accountability Act.
Get the Latest SaaS Security Insights
Subscribe to receive weekly updates, the latest attacks, and new trends in SaaS Security
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
EXPERIENCE RECO 1:1 - BOOK A DEMO

Discover How Reco Can Help You Protect Your Microsoft Environment

“I’ve looked at other tools in this space and Reco is the best choice based on use cases I had and their dedication to success of our program. I always recommend Reco to my friends and associates, and would recommend it to anyone looking to get their arms around shadow IT and implement effective SaaS security.”
Mike D'Arezzo
Executive Director of Security
“We decided to invest in SaaS Security over other more traditional types of security because of the growth of SaaS that empowers our business to be able to operate the way that it does. It’s just something that can’t be ignored anymore or put off.”
Aaron Ansari
CISO
“With Reco, our posture score has gone from 55% to 67% in 30 days and more improvements to come in 7-10 days. We are having a separate internal session with our ServiceNow admin to address these posture checks.”
Jen Langford
Information Security & Compliance Analyst
“That's a huge differentiator compared to the rest of the players in the space. And because most of the time when you ask for integrations for a solution, they'll say we'll add it to our roadmap, maybe next year. Whereas Reco is very adaptable. They add new integrations quickly, including integrations we've requested.”
Kyle Kurdziolek
Head of Security
Get A Demo >

Explore More

How Workday Orchestrate Transforms Enterprise Workflow Automation

Workday Orchestrate is a powerful capability that enables organizations to automate and streamline complex business processes across systems, departments, and teams. It allows enterprises to build, execute, and monitor end-to-end workflows within Workday and beyond, using a no-code/low-code visual designer.
Learn more >

Salesforce AI Certification Path and Preparation Tips

Salesforce has two focused certifications to help professionals demonstrate their knowledge in AI: the Salesforce AI Associate and the Salesforce Certified Agentforce Specialist.
Learn more >

Is Zoom HIPAA Compliant? A Comprehensive Guide for Healthcare Professionals

Doctors, therapists, and medical staff often use platforms like Zoom to communicate with patients. But when personal health information is involved, there are strict rules to follow. One of the most important sets of rules is called HIPAA: Health Insurance Portability and Accountability Act.
Learn more >

Ready for SaaS Security
that can keep up?

Request a demo
Reco is the leader in Dynamic SaaS Security — the only approach that eliminates the growing gap between what you can protect and what’s outpacing your security. Reco keeps pace with SaaS sprawl, no matter how fast it evolves, by covering the entire SaaS lifecycle — cradle to grave.
Request a demo
Chat with us
Chat with us
Memberships
Industry Recognition
Platform Use Cases
Posture ManagementApp Discovery & GovernanceIdentity & Access GovernanceThreat Detection & ResponseData Exposure ManagementShadow App DiscoveryGenerative AI DiscoveryAgentic AI SecurityReco AI AgentsAI Governance and SecuritySaaS App Factory™
Integrations By App
All Supported ApplicationsSalesforceMicrosoft 365Google WorkspaceServiceNowWorkday
ServiceNow
soon
SlackOktaVeeva
Resources
BlogLearnIT HubCustomer StoriesWebinarsCompareSSPM ReportCISO GuideFinancial GuideHealthcare GuideSalesforce GuideMicrosoft GuideAI Security GuideShadow AI GuideState of SaaS Security Report
Company
About Reco
Careers
Hiring
NewsroomPartnersTrust CenterContact Us
Top Content
SaaS SecurityWhat is SSPM
Memberships
Industry Recognition
AICPA for RecoReco - ISO 27001
TermsPrivacy
© 2025 Reco. All Rights Reserved.