Got CORS preflight 403 error after make backend api service unser Application proxy

Zhang, Yang 1 Reputation point

We have an internal service that has front-end and back-end applications. To implement SSO we put Azure AD application proxy in front of these two applications, The external front-end domain is, The backend domain is basically, it should be work after we enable the CORS in the backend application. However, because these two application is under Application proxy, the preflight request of CORS will get 403 error, that means this request was protected by auth? I'm wondering ifs any feature or workaround in Azure application proxy can make this case work.


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,295 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 33,621 Reputation points Microsoft Employee

    At the moment it still is not supported. It appears that the workaround to overcome the CORS issue for the Azure AD app proxy is to develop a proxy for the Azure AD App proxy.

    According to user voice, the product group is looking into enabling a feature that focuses on supporting CORS preflight requests between two applications. This works by allowing you to configure the response and have App Proxy handle it on behalf of the app.

    A pre-requisite for this feature to work is that the user must be able to authenticate into the second application in order to avoid a CORS issue from the login flow into the second app.
    To avoid this the user will have to make sure they have already accessed the 2nd application before the CORS request, and has valid credentials. This should work for wildcard apps and can also be achieved by adding a fake link / image to the 2nd application in the first application.

    There is a feedback item that is still open for this here:

    0 comments No comments

  2. Zhang, Yang 1 Reputation point

    Hi @MarileeTurscak ,

    Thanks for your confirmation. Actually, I don't understand your concern, just give us an option to pass CORS preflight request will resolve this problem.
    In our case user already did authentication in the frontend application before he sends the CORS preflight request, use has a valid SSO cookie at that moment, just let CORS preflight request pass it will be ok.

    Besides, it's 2021 already, People will keep getting this issue, How do you want to them work, add a proxy? that's ridiculous, it makes things complicated than before.

    0 comments No comments