Understanding Azure Active Directory Application Proxy Complex application scenario (Preview)

When applications are made up of multiple individual web application using different domain suffixes or different ports or paths in the URL, the individual web application instances must be published in separate Azure AD Application Proxy apps and the following problems might arise:

  1. Pre-authentication- The client must separately acquire an access token or cookie for each Azure AD Application Proxy app. This might lead to additional redirects to login.microsoftonline.com and CORS issues.
  2. CORS issues- Cross-origin resource sharing calls (OPTIONS request) might be triggered to validate if the caller web app is allowed to access the URL of the targeted web app. These will be blocked by the Azure AD Application Proxy Cloud service, since these requests cannot contain authentication information.
  3. Poor app management- Multiple enterprise apps are created to enable access to a private app adding friction to the app management experience.

The following figure shows an example for complex application domain structure.

Diagram of domain structure for a complex application showing resource sharing between primary and secondary application.

With Azure AD Application Proxy, you can address this issue by using complex application publishing that is made up of multiple URLs across various domains.

Diagram of a Complex application with multiple application segments definition.

A complex app has multiple app segments, with each app segment being a pair of an internal & external URL. There is one conditional access policy associated with the app and access to any of the external URLs work with pre-authentication with the same set of policies that are enforced for all.

This solution that allows user to:

  • by successfully authenticating
  • not being blocked by CORS errors
  • including those that uses different domain suffixes or different ports or paths in the URL internally

This article provides you with the information you need to configure wildcard application publishing in your environment.

Characteristics of application segment(s) for complex application.

  1. Application segments can be configured only for a wildcard application.
  2. External and alternate URL should match the wildcard external and alternate URL domain of the application respectively.
  3. Application segment URL’s (internal and external) need to maintain uniqueness across complex applications.
  4. CORS Rules (optional) can be configured per application segment.
  5. Access will only be granted to defined application segments for a complex application.
    • Note - If all application segments are deleted, a complex application will behave as a wildcard application opening access to all valid URL by specified domain.
  6. You can have an internal URL defined both as an application segment and a regular application.
    • Note - Regular application will always take precedence over a complex app (wildcard application).


Before you get started with Application Proxy Complex application scenario apps, make sure your environment is ready with the following settings and configurations:

Configure application segment(s) for complex application.

To configure (and update) Application Segments for a complex app using the API, you first create a wildcard application, and then update the application's onPremisesPublishing property to configure the application segments and respective CORS settings.


2 application segment per complex application are supported for Microsoft Azure AD premium subscription. Licence requirement for more than 2 application segments per complex application to be announced soon.

If successful, this method returns a 204 No Content response code and does not return anything in the response body.



Here is an example of the request.

PATCH https://graph.microsoft.com/beta/applications/{<object-id-of--the-complex-app-under-APP-Registrations}
Content-type: application/json

    "onPremisesPublishing": {
		"onPremisesApplicationSegments": [
				"externalUrl": "https://home.contoso.net/",
				"internalUrl": "https://home.test.com/",
				"alternateUrl": "",
				"corsConfigurations": []
				"externalUrl": "https://assets.constoso.net/",
				"internalUrl": "https://assets.test.com",
				"alternateUrl": "",
				"corsConfigurations": [
						"resource": "/",
						"allowedOrigins": [
						"allowedHeaders": [
						"allowedMethods": [
						"maxAgeInSeconds": 0

HTTP/1.1 204 No Content

See also