![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 66%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENB%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Other
Additional Microsoft Entra services and features related to identity, access, and network security
Intermittent 503s through Microsoft Entra application proxy, especially when direct access works, usually indicate either:
- An issue in the published app or its back-end calls that only surfaces under the proxy pattern, or
- A connectivity/configuration problem between the app proxy service and the private network connector, or
- A misconfiguration with custom domains or publishing paths that affects some requests but not others.
Use the app-proxy–specific troubleshooting flow and then drill into connector and app behavior:
- Verify the connector is healthy
Before focusing on the app, confirm the Microsoft Entra private network connector is stable:- In
services.msc, ensure Microsoft Entra private network connector is Running and set to start automatically. - In Event Viewer → Applications and Services Logs → Microsoft → Microsoft Entra private network → Connector → Admin, check for connector errors or frequent reconnects.
- If issues are suspected, follow the steps in Debug private network connector issues as referenced from:
- In
- Follow the application-proxy debugging flow
Use the flowchart for app issues to narrow down where the 503 is introduced:- Step 1–2: Confirm users can sign in and have the right permissions when going through app proxy (especially important when using Entra ID pre-authentication). If sign-in or authorization fails intermittently, review sign-in logs as described under Troubleshoot sign-in errors in the flow.
- Step 3: Confirm the app proxy configuration is correct. If errors appear immediately on some calls, compare those failing requests (URL, method, headers) with working ones.
- Step 4: If using a custom domain, verify:
- DNS is correctly configured for the published external URL.
- The certificate for the custom domain is valid and correctly bound.
Intermittent 503s can occur if some requests route to a misconfigured endpoint.
- Check for known app-proxy user-side errors
Even though the browser shows 503, the underlying app proxy error might be different. Common issues include:- Licensing/authorization problems (for example, “This corporate app can’t be accessed. You are not authorized…”), which can be more visible when using Entra ID pre-authentication. Ensure users have the required Microsoft Entra ID Premium license if applicable.
- Custom-domain misconfiguration: “A server with the specified host name could not be found.”
If some calls use a different host (for example, absolute URLs or script/image calls to another hostname) that isn’t correctly configured in app proxy, those specific calls can fail while others succeed.
- Look for connectivity issues between proxy and connector
Intermittent 503s, especially periods where everything fails for a while and then recovers, often map to unstable connectivity from the connector to the app proxy service or to the internal app:- Use connector debugging as suggested in Debug private network connectors and Work with existing on-premises proxy servers:
- Stop the connector service, start a network capture, then start the connector service and stop the capture.
- Look for
SynRetransmiton port 443 to app-proxy endpoints, which indicates network/firewall problems.
- If an outbound proxy or TLS inspection device is in the path, ensure it does not terminate or inspect TLS between the connector and Microsoft Entra application proxy cloud services. TLS interception can cause errors such as
InternalServerError: This corporate app can’t be accessed right now... ConnectorError:Unauthorized.and may manifest as intermittent failures.
- Use connector debugging as suggested in Debug private network connectors and Work with existing on-premises proxy servers:
- Validate publishing path and all resources
Because some calls succeed and others fail, verify that all resources used by the app are correctly published through app proxy:- Ensure the publishing path includes all necessary images, scripts, style sheets, and any subpaths the app calls.
- Use browser dev tools (F12) to identify which specific requests return 503 and check whether their paths/hosts are covered by the app proxy configuration.
- If some links are absolute or point to internal hostnames not published via app proxy, those calls can fail while the main page works. Use the guidance in Application page doesn’t display correctly and Links on the page don’t work to fix broken or partially published content.
- Consider latency and app behavior under proxy
If the internal app is slow or resource constrained, the extra hop through app proxy can expose timeouts as 503s:- Review network latency and topology as described under Considerations for reducing latency.
- If 503s correlate with high load or long-running requests on the internal app, optimize the app or scale it accordingly.
- Compare behavior with pass-through vs. pre-auth
Since the issue appears more often with Entra ID pre-authentication:- Confirm that authentication and authorization flows are stable and that tokens/cookies are accepted consistently by the back-end app.
- Check for any app logic that treats authenticated requests differently (for example, extra back-end calls or redirects) that might be failing intermittently.
If, after these steps, the issue persists, collect:
- Connector Admin log entries around the time of 503s.
- Network traces from the connector startup and from a failing period.
- Browser dev tools traces showing which specific calls return 503.
Then use the broader guidance under Troubleshoot application proxy problems and error messages for deeper analysis or to support a case with Microsoft.
References: