Share via

Translating internal URLs using Application Proxy

Volodymyr 20 Reputation points
2025-10-23T09:47:12.4666667+00:00

Hi,

First of all, I apologize for my English — I’m using a translator :)

I have a local infrastructure that has almost no access to the internet, along with Entra ID. However, it became necessary to provide access to a local Grafana resource for certain users outside the local network.

To achieve this, I deployed a Private Network Connector (Application Proxy) and created my own on-premises application. The configuration is as follows:

Internal URL: mon.office.local

  • External URL: mon-*****.msappproxy.net

Translate URLs in headers: Yes

  • Translate URLs in application body: Yes

Everything works fine — external access is available — but in some parts of the local site, the URLs are hardcoded to the local FQDN. Through the Application Proxy, those links are not being rewritten to mon-*****.msappproxy.net; they remain as mon.office.local. As a result, DNS resolution fails, and the links don’t open.

Is it possible that I missed some configuration on the Microsoft 365 or Entra ID side?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Answer accepted by question author
  1. Praveen Chivarla 1,460 Reputation points Microsoft External Staff Moderator
    2025-10-24T08:57:58.43+00:00

    Hi Volo,

    Thank you for posting your query on Microsoft Q&A.

    You’re facing an issue where hardcoded internal URLs in your Grafana application are not being rewritten by Microsoft Entra Application Proxy to the external msappproxy.net URL, despite having both Translate URLs in headers and Translate URLs in application body enabled.

    In Microsoft Entra Application Proxy, this behavior typically happens when certain internal links are embedded in ways that prevent the proxy service from detecting or rewriting them for translation.

    1. JavaScript-generated or dynamic links: URL translation only works for HTML and CSS content. Links created or rendered dynamically through JavaScript, API calls, or non-HTML payloads are not intercepted or rewritten.
    2. Encoding or format mismatch: Application Proxy assumes that your app pages are served using UTF‑8 encoding. If your pages use another encoding without specifying it in HTTP headers, link translation may not apply.
    3. Hardcoded FQDNs in Grafana or app configuration: If Grafana explicitly sets the internal FQDN (for example, mon.office.local) in its configuration or templates, those links will remain static and not be replaced by msappproxy.net.
    4. Application Proxy translation limitation: The proxy scans only certain elements in HTML body or CSS specified attributes (like a`` ``href,`` ``img`` ``src,`` ``iframe`` ``src,`` ``link`` ``href), not every component or script resource. (Full list available in Redirect hardcoded links for apps published with Microsoft Entra application proxy).

    Recommended Steps to Resolve the Issue

    1. Use Custom Domains (Best Practice): The preferred approach is to align the internal and external URLs using custom domains.

    • Configure a public DNS CNAME record so the external domain (mon.office.local) resolves to the msappproxy.net endpoint.
    • Update your Application Proxy app to use this custom domain rather than msappproxy.net.

    When internal and external URLs match, link translation becomes unnecessary, and both internal and external users access Grafana using the same FQDN. (Reference: Custom Domains in Microsoft Entra Application Proxy).

    2. Validate HTML and Encoding:

    • Ensure Grafana pages include the following HTTP response header

    Content-Type: text/html; charset=utf-8

    • Avoid serving mixed encodings or minified HTML/CSS code that prevents Application Proxy from detecting tags.

    3. Use MyApps Secure Sign‑in Extension (Alternative for Translation): If enabling custom domains is not possible, have users install the MyApps Secure Sign‑in extension, which automatically rewrites internal URLs to corresponding external proxy links—even for JavaScript content or custom resources. (Reference: My Apps Browser Extension).

    4. Recommend Using Microsoft Edge: Microsoft Edge natively supports Application Proxy link management, ensuring all internal FQDN links published through App Proxy map correctly to external URLs.

    5. Check for UTF‑8 Conversion and Relative Paths: Whenever possible, configure Grafana dashboards or templates to use relative paths rather than hardcoded FQDNs (for example, /dashboard/metrics instead of http://mon.office.local/dashboard/metrics). Application Proxy automatically translates relative paths.

    Known Limitations

    • JavaScript‑generated and API response links are not rewritten.
    • Content in formats other than HTML/CSS (such as JSON or XML) is not inspected.
    • Link translation works only for apps published via Application Proxy that have the feature explicitly enabled.

    For these reasons, custom domains or the MyApps extension are Microsoft’s recommended solutions for highly dynamic apps.

    References

    I hope this information is helpful. Please feel free to reach out if you have any further questions. If the answer is helpful, please click "Accept Answer" and kindly Upvote it.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.