Cannot edit application proxy configuration

Question

Cannot edit application proxy configuration

FunMum 140

In Entra ID, I am trying to edit the application proxy settings of an Enterprise Application.

The initial configuration is with "Internal URL" is blank

The External URL is app.domain-msappproxy.net

See the attached for the initial configuration

When I add an "Internal URL" to https://appname.contoso.com/appweb/.

Then change the External URL to appname.contoso.com (a legitimate domain).

I also change the "Connector Group" to the correct App Proxy Connector Group. Click Save

The following message appears in the notification "Private Network settings update successfully"

However, then the screen refreshes back to the initial configuration (the screen shot). I cannot figure out when the changes I made are not taking. I have tried it both in portal.azure and entra.microsoft. with the same results. Any way to further troubleshoot this or any idea why the changes are not saving even though the notification says it has saved successfully? appproxy123

Shubham Sharma 16,035 Reputation points Microsoft External Staff Moderator

2026-05-27T04:08:14.9366667+00:00
Hey there! It sounds like you’re able to click Save and get the “Private network settings update successfully” banner, but the portal immediately rolls your internal/external URL and connector group back to the original settings. In our experience this usually means the service can’t validate one of the new values (most commonly a custom external domain or the internal-URL reachability), so it silently rejects the change and reverts to the last known good config. Here’s what to check and try:

Make sure you have a valid App-Proxy license (Entra ID P1/P2) and the right role (Application Administrator or Global Admin).

Verify you have at least one active App Proxy connector in the connector group you’re picking. If the group has no running connector, any save will silently roll back.

If you’re switching your External URL from the default *.msappproxy.net to appname.contoso.com, you must first upload a matching SSL certificate under Enterprise applications > Application proxy > Custom domains. Without that cert in place, the portal will refuse to persist your custom hostname.

Ensure your URLs follow the portal’s validation rules:

They start with https://

They end with a trailing slash (/).

If your External URL doesn’t end in “/”, the portal may drop it on save.

From one of your connector servers, open a browser (or use curl) to https://appname.contoso.com/appweb/ to confirm the connector can resolve and reach that internal URL. If it can’t, fix DNS, firewall or host-header translation so the connector machine itself can successfully load the page.

Once the cert is uploaded, connector group has a healthy connector, and the connector machine can hit the internal URL over HTTPS, re-open the Azure portal, update the Internal URL, External URL and Connector Group, and click Save again.

If you’ve gone through those steps and it still won’t stick, gather the connector logs (%TEMP%\ApplicationProxyConnectorInstaller.log and the Connector Diagnostics tool output) and let us know what errors you see.

Reference links:

Configure an Application Proxy app: https://docs.microsoft.com/azure/active-directory/application-proxy-config-how-to/

Add on-prem app & URL requirements: https://docs.microsoft.com/entra/identity/app-proxy/application-proxy-add-on-premises-application

Working with custom domains in App Proxy: https://docs.microsoft.com/azure/active-directory/app-proxy/working-with-custom-domains

Debug Application Proxy connector issues: https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-debug-connectors

Troubleshoot App Proxy problems & error messages: https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-troubleshoot

If the answer is helpful, kindly upvote it. If you have extra questions about this answer, please click "Comment".
FunMum 140 Reputation points

2026-05-27T11:26:23.36+00:00

@Shubham Sharma Thank you so much for the feedback! For the External URL to end with a trailing "/", where do I add the domains in the dropdown so I could add the trailing "/" at the end?
Shubham Sharma 16,035 Reputation points Microsoft External Staff Moderator

2026-05-28T04:16:40.33+00:00
FunMum

Thank you for your reply.

You do NOT add the trailing “/” in the domain dropdown itself.

The dropdown you see (e.g., *.msappproxy.net or your custom domain like contoso.com) is only for selecting/defining the hostname.

The trailing slash / is automatically part of the full URL, not something you configure in the dropdown.How External URL actually works in the portal

From the UI (as shown in your screenshot):

You enter:

Subdomain → appname

Domain dropdown → contoso.com (custom domain) OR tenant.msappproxy.net

The portal constructs this automatically as:

https://appname.contoso.com/

The trailing / is implicitly added — you don't manually type it anywhere

Why you don’t see “/” in the dropdown

Because:

The dropdown represents DNS hostnames only, not full URLs

A valid hostname never includes /

Path-level formatting (like /appweb/) is handled elsewhere (internal URL)

Microsoft Docs confirms that the External URL is a host-based URL created when publishing the app, and custom domains only replace the *.msappproxy.net portion — not the path.

https://learn.microsoft.com/en-us/entra/identity/app-proxy/how-to-configure-custom-domain

Where the “/” actually matters

You should ensure trailing / in:

1. Internal URL (manually required)

https://appname.contoso.com/appweb/

This is critical, because:

App Proxy requires a base path

Missing / can cause validation failures or silent rollback

2. External URL (NOT manually added)

https://appname.contoso.com correct input

Platform converts it to:

https://appname.contoso.com/

If you still face rollback issue

Based on your scenario + screenshot, the real issue is likely NOT the slash, but:

From your screenshot

'Default' needs at least one active connector

This is a blocking condition:

If the selected connector group has no active connectors, the config will not persist, even if the portal shows “success”

Important: Do NOT try to add / in dropdown → Not possible (by design)

Just enter:

Subdomain: appname

Domain: contoso.com

Ensure:

Internal URL ends with /

Custom domain certificate uploaded

Connector group has at least one active connector (this is critical in your case)

Save again

Docs: -

https://learn.microsoft.com/en-us/entra/identity/app-proxy/how-to-configure-custom-domain

https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy-add-on-premises-application
Shubham Sharma 16,035 Reputation points Microsoft External Staff Moderator

2026-05-28T08:56:44.74+00:00

FunMum

Following up to check if the resolution provided was helpful. Let us know if you need any further assistance

1 answer

Your answer

FunMum 140 Reputation points

2026-05-27T11:26:23.36+00:00

@Shubham Sharma Thank you so much for the feedback! For the External URL to end with a trailing "/", where do I add the domains in the dropdown so I could add the trailing "/" at the end?
Shubham Sharma 16,035 Reputation points Microsoft External Staff Moderator

2026-05-28T08:56:44.74+00:00

FunMum

Following up to check if the resolution provided was helpful. Let us know if you need any further assistance

Answer 1

AI answer

The behavior described (changes apparently saving but reverting on refresh) is typically caused by an invalid or incomplete application proxy configuration, especially around internal/external URLs and custom domains.

From the available guidance, focus on these areas when troubleshooting:

Verify internal vs. external URL relationship
- Application proxy expects a valid internal URL and an external URL that it can map correctly.
- Best practice is to keep internal and external URLs identical in protocol://hostname:port/path/ where possible. This avoids complex link translation and configuration issues.
- If using a custom external domain (for example, appname.contoso.com) instead of the default *.msappproxy.net, ensure that:
  - The internal URL is valid and reachable by the connector (for example, https://appname.contoso.com/appweb/).
  - If the internal URL uses a nonstandard port (not 80/443), identical internal/external URLs are not possible and additional configuration in the web app may be required.
Ensure custom domain prerequisites are met
- Changing the external URL from *.msappproxy.net to a vanity domain such as appname.contoso.com requires the custom domains feature.
- The custom domain must be configured correctly (DNS and certificate) for application proxy. If the custom domain configuration is invalid, the portal can show errors such as A server with the specified host name could not be found when users access the app.
- Confirm that the custom domain is configured and validated according to the custom domain guidance before changing the external URL.
Check for broken-link and root URL issues
- After publishing an app, only links under the published root URL work by default. If the internal URL or external URL is not set to a root that contains all relevant paths, the service may treat parts of the configuration as invalid.
- Ensure the internal URL you enter is the correct root for the application and that it is consistent with how the app is expected to be accessed.
Validate connector and service health
- Confirm that the Microsoft Entra private network connector service is running and healthy:
  - In Services, verify the connector service is running.
  - In Event Viewer, check Applications and Services Logs > Microsoft > Microsoft Entra private network > Connector > Admin for connector errors.
- If the connector is misconfigured or cannot reach the app, the portal may accept changes but the backend validation can fail and revert to the last known good configuration.
Use the official troubleshooting flow
- Follow the application proxy troubleshooting flow:
  - Step 1–2: Confirm sign-in and user access work for the existing configuration.
  - Step 3: After attempting to change the internal/external URLs, check for any immediate errors or logs indicating misconfiguration.
- If the connector is configured to use an on-premises proxy, verify HTTPS connectivity from the connector to the proxy and look for HTTP 407/502 responses that might block configuration validation.
SAML/SSO considerations (if applicable)
- If the app uses SAML SSO, ensure that the external URL used in application proxy is also reflected in the SAML configuration (Identifier, Reply URL, Logout URL). Mismatches can cause the app to fail validation.
- If the backend app expects the internal URL as Reply URL, either configure custom domains so internal and external URLs match or use the My Apps secure sign-in extension.

If, after verifying the above, the portal still reverts the configuration with no visible error, collect connector logs and portal screenshots and open a support case, as backend validation or policy constraints in the tenant may be preventing the change.

References:

AI-generated content may be incorrect. Read our transparency notes for more information.

Share via

Cannot edit application proxy configuration

1 answer

Your answer