We have a line of business website available on the internet. The site is running on a VM in our tenant in Azure. The site has an app registration created for it. Our local on-prem AD is replicated to Entra, and works to authenticate users to the site.
Dev has decided they want to have a mirror of this site for testing (not dev) purposes, and that this mirror should not be publicly available on the internet. I created a mirror of the site on our on-prem Hyper-V infrastructure, but am having trouble getting it to authenticate users in Entra.
When I attempt log on to the site, it correctly redirects me to login.microsoftonline.com, where I successfully complete the required MFA auth. After finishing auth, the URL in the browser changes to a long string containing the redirect URI specified in the Azure app and what I think is the auth token, but then it just dies there, even though the internal on-prem client can resolve the name in the redirect URI. Is this because the webserver itself can't check the token against the auth server's key?
Do I need to install the app proxy on the mirror web server or something? I took a look at that, but the docs said it wasn't recommended for users who are on-prem?
Anybody know how to get this working? Thanks!