How can I use Entra ID to authenticate users to an on-prem website not publicly available on the internet?

Ian Campbell 0 Reputation points
2024-09-26T21:35:01.4+00:00

We have a line of business website available on the internet. The site is running on a VM in our tenant in Azure. The site has an app registration created for it. Our local on-prem AD is replicated to Entra, and works to authenticate users to the site.

Dev has decided they want to have a mirror of this site for testing (not dev) purposes, and that this mirror should not be publicly available on the internet. I created a mirror of the site on our on-prem Hyper-V infrastructure, but am having trouble getting it to authenticate users in Entra.

When I attempt log on to the site, it correctly redirects me to login.microsoftonline.com, where I successfully complete the required MFA auth. After finishing auth, the URL in the browser changes to a long string containing the redirect URI specified in the Azure app and what I think is the auth token, but then it just dies there, even though the internal on-prem client can resolve the name in the redirect URI. Is this because the webserver itself can't check the token against the auth server's key?

Do I need to install the app proxy on the mirror web server or something? I took a look at that, but the docs said it wasn't recommended for users who are on-prem?

Anybody know how to get this working? Thanks!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,734 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Thameur-BOURBITA 32,981 Reputation points
    2024-10-02T09:43:38.7466667+00:00

    Hi @Ian Campbell

    Yes you need to install application proxy if you want allow users connect on onprem application using Entra ID account.

    For more information please refer to the following link :

    Add an on-premises application for remote access through application proxy in Microsoft Entra ID


    Please don't forget to accept helpful answer



  2. Ian Campbell 0 Reputation points
    2024-10-03T16:19:48.55+00:00

    Hi, and thanks for your response. I've looked over the docs for application proxy and it looks like it is focused on making applications available to users on the internet without a DMZ or VPN. This is actually the opposite of what we're looking to do; we don't want the application available on the internet at all; merely to authenticate against Entra from on-prem. Can it be done? Thanks again.

    0 comments No comments

  3. Ian Campbell 0 Reputation points
    2024-10-07T23:25:44.3833333+00:00

    Just checking in to say that this is actually completely possible without any special configuration. In my case it worked out that the site was misconfigured, so it was crashing right after the successful auth sequence. Once that misconfiguration was corrected, auth worked fine with no issues.

    So no, you don't need to install the application proxy. Nice try, but either you misunderstood the question, or just didn't know what you were talking about... :(

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.