Azure AD Application Proxy - multiple apps, multiple MFA?

Anwar Mahmood 6 Reputation points

Azure AD Application Proxy is intended for remote access to on premises applications.

It isn't recommended for on premises access.

However, if I did use it for on premises access, and required MFA, would I need to MFA every app, every time?


  • HR app
  • Accounts app
  • Marketing app

On-premises computers are hybrid Azure AD joined.

On on-premises "blue" computers, I want SSO to these apps.
On on-premises "red" computers, I want SSO but also MFA on these apps. For the sake of discussion, "red" computers are somehow less secure, and/or "red" computer users use more sensitive parts of the app. Hence, they must MFA to the app.

People on the "red" computers may need HR, Accounts and Marketing apps. They may dip in and out of these apps several times a day.

If people on the "red" computers have to perform MFA for HR, Accounts and Marketing every time they open them in the browser, there would be severe pushback.

Can it do it "once", and it "persists" for a reasonable time (say, a working day).

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,181 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,466 Reputation points

    @Anwar Mahmood If all the Red and Blue computers are Hybrid Azure AD Joined, they will have PRT (Primary Refresh Token). Once a user performs MFA on a Hybrid Azure AD joined machine, the MFA claim is stored in the PRT and user would not be prompted for MFA again till the time PRT is valid.

    PRT is invalidated in case of Invalid user, Invalid device, Password change, TPM issues. for more information, please refer to How is a PRT invalidated?


    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    0 comments No comments