Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,437 questions
Accessing On Premise Api Through Azure Application Proxy with Azure Directory Enabled Doesn't Work as Documentation Describes
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 31%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECC%3C/text%3E%3C/svg%3E)
Chuck Conway
1
Reputation point
I'm attempting to expose my on-premise APIs with Azure Application Proxy.
I've successfully configured Azure Application Proxy to work with the Pre-Authentication set to Passthrough. When I change the Pre-Authentication to Azure Active Directory I can access the endpoint successfully via a browser. However, when I try calling the on-premise endpoint from code I receive the HTML for the Microsoft Sign-In page. A successful request will return a JSON Response.
I'm following a Microsoft article: Secure access to on-premise APIs with Azure AD Application Proxy
Via an Azure Docs defect, I learned that I have to use "http://localhost" as a value for the RedirectUri and configure my client app as a "Mobile and desktop applications" platform.
[Fact]
public async Task Successfully_authenticate_but_cant_access_the_proxy()
{
// Acquire Access Token from AAD for Proxy Application
var clientApp = PublicClientApplicationBuilder
.Create("b510069b-xxxx-xxxx-xxxx-9363xxxxxxxx") //Client Id for Client Application
.WithRedirectUri("http://localhost") // This must be configured as a "Mobile and desktop applications" platform in the client application
.WithTenantId("xxxxxx-d4cf-4xxx-xxxx-8dc72cbc00bd") //Not sure if this is needed.
.WithAuthority("https://login.microsoftonline.com/xxxxxx-d4cf-4xxx-xxxx-8dc72cbc00bd/oauth2/v2.0/authorize")
.Build();
AuthenticationResult authResult;
var accounts = await clientApp.GetAccountsAsync();
var account = accounts.FirstOrDefault();
IEnumerable<string> scopes = new string[] {"https://endpoints-xxx.msappproxy.net/user_impersonation"};
try
{
authResult = await clientApp.AcquireTokenSilent(scopes, account).ExecuteAsync();
}
catch (MsalUiRequiredException ex)
{
authResult = await clientApp.AcquireTokenInteractive(scopes).ExecuteAsync();
}
if (authResult != null)
{
//Use the Access Token to access the Proxy Application
var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
var response = await httpClient.GetAsync("https://endpoints-xxx.msappproxy.net");
//Failing here. I'm receiving the HTML for the Sign-In page. I'm expecting a response with JSON.
var responseValue = await response.Content.ReadAsStringAsync();
}
}
{count} votes
-
Siva-kumar-selvaraj 15,546 Reputation points2021-04-12T14:49:24.463+00:00 Thanks for reaching.
I am looking at this thread. I will update you with my findings. Thanks.
Regards,
Siva
Sign in to comment