How can I use Entra ID to authenticate users to an on-prem website not publicly available on the internet?

Question

We have a line of business website available on the internet. The site is running on a VM in our tenant in Azure. The site has an app registration created for it. Our local on-prem AD is replicated to Entra, and works to authenticate users to the site.

Dev has decided they want to have a mirror of this site for testing (not dev) purposes, and that this mirror should not be publicly available on the internet. I created a mirror of the site on our on-prem Hyper-V infrastructure, but am having trouble getting it to authenticate users in Entra.

When I attempt log on to the site, it correctly redirects me to login.microsoftonline.com, where I successfully complete the required MFA auth. After finishing auth, the URL in the browser changes to a long string containing the redirect URI specified in the Azure app and what I think is the auth token, but then it just dies there, even though the internal on-prem client can resolve the name in the redirect URI. Is this because the webserver itself can't check the token against the auth server's key?

Do I need to install the app proxy on the mirror web server or something? I took a look at that, but the docs said it wasn't recommended for users who are on-prem?

Anybody know how to get this working? Thanks!

Answer 1

Just checking in to say that this is actually completely possible without any special configuration. In my case it worked out that the site was misconfigured, so it was crashing right after the successful auth sequence. Once that misconfiguration was corrected, auth worked fine with no issues.