AZ-800 Administering Windows Server Hybrid Core Infrastructure Exam

Publish and secure on-premises applications with Application Proxy

Microsoft Entra Application Proxy is a cloud service that lets users access internal web applications from anywhere without a VPN. It works by using lightweight connectors installed on-premises to create outbound connections to Azure. This approach simplifies remote access and reduces the need for complex network changes. Users can sign in through Azure AD, ensuring a seamless and secure experience.

Before deploying Application Proxy, you need to set up key components and network settings. First, install and register the connectors on Windows Server machines in the same network as your back-end apps. Then, ensure your network allows outbound HTTPS traffic to Azure without intercepting TLS. Finally, deploy multiple connectors in a connector group to achieve high availability and load balancing. These steps prepare your environment for reliable and secure proxying.

Once connectors are in place, you create and configure application objects in the Azure portal. You assign each object an internal URL for your on-premises app and an external URL for remote access. Choose between Azure AD pre-authentication to require sign-in before proxying or passthrough for direct connections. You can also group applications and assign them to user or device groups for easier management and access control.

Security is strengthened by leveraging Azure AD features and Conditional Access policies. Sync your on-premises Active Directory with Azure AD to support single sign-on and pre-authentication. Optionally, use Kerberos Constrained Delegation (KCD) to pass user credentials to back-end servers for SSO. Then, create conditional access rules based on user risk, device compliance, and location to govern remote connectivity and protect sensitive applications.

Managing and monitoring Application Proxy involves assigning the right administrative roles and tracking usage and health. Use roles like Application Administrator or Security Reader to delegate tasks securely, and apply Privileged Identity Management (PIM) for just-in-time elevation. Monitor audit logs and usage reports in the Azure portal to spot issues quickly. By following these practices, you can maintain a robust, scalable, and secure remote access solution.

Conclusion

In summary, Microsoft Entra Application Proxy enables secure remote access to on-premises applications without VPNs by using connectors and Azure AD features. You must install connectors, configure application objects with internal and external URLs, and choose the right pre-authentication mode. Strengthen security with Conditional Access policies, Azure AD synchronization, and optional KCD for single sign-on. Finally, assign proper administrative roles, use PIM, and monitor logs and metrics to ensure high availability and reliable operation. Together, these steps create a scalable and secure solution for publishing legacy and on-premises apps in a cloud-first world.