Advantages of the Entra Application Proxy & disadvantages of conventional methods
Entra Application Proxy
Security: Access to shared applications is protected by conditional access and MFA. Applications are shielded from direct attacks as they are not published directly on the Internet.
No direct network access: The applications remain protected behind a proxy and there is no direct access from outside.
Simple administration: The entire configuration takes place centrally in the Entra ID portal and is easy to manage.
No additional hardware: No dedicated hardware or additional gateways are required.
Scalability: Access can be easily adapted to growing requirements and user numbers.
Reduced maintenance: With an Entra ID Premium P1 license (often already available), there is no need for separate VPN software or inbound firewall rules with complex DMZ configuration.
Flexibility: Users can access applications securely from anywhere (or depending on the conditional access configuration) without additional software.
Outdated VPN solutions and firewall rules:
Direct network accessibility: Applications often have to be published directly, which makes them vulnerable from the Internet.
Complex administration: VPNs and inbound firewall rules can quickly become confusing due to their complexity.
High costs and maintenance: VPN solutions and firewalls entail additional license costs and maintenance effort.
Limited scalability: Conventional solutions quickly reach their limits with a growing number of users or geographically distributed teams.
Less flexibility: Users are dependent on client VPN connections or local network configurations, which makes access more difficult.
Prerequisites
The following prerequisites are required to set up the application proxy:
Entra ID Premium P1 or P2 license: Required for the use of Application Proxy and Conditional Access.
Entra ID Connect (if a local AD is available).
Connector: A local server (Windows Server 2012 R2 or higher) on which the App Proxy Connector is installed.
Access to DNS management: To access the application via the company's domain, a DNS record must be created.
Firewall settings: Outbound port 80 (HTTP) and 443 (HTTPS) must be allowed from the connector server.
Instructions: Setting up the application proxy
Activating the app proxy
Log in to the Entra portal
Navigate to Entra ID -> Application Proxy
Activate the application proxy
Installing the connector
Download the connector in the Entra ID portal under Global Secure Access -> Connect -> Connectors
Install the connector on a Windows server that has access to the local application
Connector service: Download and install the service
Connector groups: Add the connectors to the groups
Private networks: Activate the connector for private networks
Configuration of the local application
There are two options for configuring the application
Global Secure Access -> Configure an App
Identity > Applications -> Enterprise Applications
Navigate to the Entra ID Portal -> Enterprise Applications
Select + New Application -> Add an On-Premises application
Enter the internal URL (e.g. http://crm.domain.de:8443) and the external URL (e.g. https://crm.domain.de)
Note: The internal and external URLs should match so that no certificate errors occur.
External URL: Should point to the user-defined domain, alternatively the Microsoft domain “.msappproxy.net” can also be used for this purpose
Pre-authentication: Select Microsoft Entra ID to be able to use Conditional Access
Connector group: Use the previously configured “Default” group
Create a CNAME record in your DNS administration so that you can access the application via your custom domain
Note: Otherwise, access is via the default domain “.msappproxy.net”
Issue and configure certificate
Note: You can make the application accessible via the predefined Microsoft domain without having to issue your own certificate
In this scenario, a certificate was issued via “Certify The Web”
Install the certificate on the local web server of the application to be published
Assigning permissions and security policies
Assign the application to specific users or groups
Configure conditional access to secure access
User experience & test the application
Open the external URL in the browser
Verify that Entra authentication is successful and the local application loads properly
Summary
The App Proxy offers a modern, secure and uncomplicated way of providing local web applications via the Internet. It is quick and easy to set up and can already be used with an Entra ID Premium P1 license. Seamless integration into the Microsoft ecosystem allows you to benefit from powerful security features such as conditional access and multi-factor authentication. At the same time, you avoid the security risks and complexity that often occur with conventional solutions such as port sharing or VPNs.
