Get all Application Proxy apps and list extended information

This PowerShell script example lists information about all Microsoft Entra application proxy applications, including the application ID (AppId), name (DisplayName), external URL (ExternalUrl), internal URL (InternalUrl), authentication type (ExternalAuthenticationType), SSO mode and further settings.

Changing the value of the $ssoMode variable enables a filtered output by SSO mode. Further details are documented in the script.

If you don't have an Azure subscription, create an Azure free account before you begin.


We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article, without having to install anything on your local environment.

To start Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a code or command block. Selecting Try It doesn't automatically copy the code or command to Cloud Shell. Screenshot that shows an example of Try It for Azure Cloud Shell.
Go to, or select the Launch Cloud Shell button to open Cloud Shell in your browser. Screenshot that shows how to launch Cloud Shell in a new window.
Select the Cloud Shell button on the menu bar at the upper right in the Azure portal. Screenshot that shows the Cloud Shell button in the Azure portal

To use Azure Cloud Shell:

  1. Start Cloud Shell.

  2. Select the Copy button on a code block (or command block) to copy the code or command.

  3. Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux, or by selecting Cmd+Shift+V on macOS.

  4. Select Enter to run the code or command.

This sample requires the Azure Active Directory PowerShell 2.0 for Graph module.

Sample script

# This sample script gets all Azure AD Application Proxy applications (AppId, Name of the app, external / internal url, pre-authentication type etc.).
# This script requires PowerShell 5.1 (x64) and one of the following modules:
#     AzureAD
# Before you begin:
#    Run Connect-AzureAD to connect to the tenant domain.
#    Required Azure AD role: Global Administrator or Application Administrator or Application Developer

$ssoMode = "All"

# Change $ssoMode to filter the output based on the configured SSO type
# All                           - all Azure AD Application Proxy apps (no filter)
# None                          - Azure AD Application Proxy apps configured with no SSO, SAML, Linked, Password
# OnPremisesKerberos            - Azure AD Application Proxy apps configured with Windows Integrated SSO (Kerberos Constrained Delegation)

Write-Host "Reading service principals. This operation might take longer..." -BackgroundColor "Black" -ForegroundColor "Green" 

$aadapServPrinc = Get-AzureADServicePrincipal -Top 100000 | where-object {$_.Tags -Contains "WindowsAzureActiveDirectoryOnPremApp"} 

Write-Host "Reading Azure AD applications. This operation might take longer..." -BackgroundColor "Black" -ForegroundColor "Green"

$allApps = Get-AzureADApplication -Top 100000

Write-Host "Reading application. This operation might take longer..." -BackgroundColor "Black" -ForegroundColor "Green"

$aadapApp = $aadapServPrinc | ForEach-Object { $allApps -match $_.AppId}

Write-Host "Displaying all Azure AD Application Proxy applications with configuration details..." -BackgroundColor "Black" -ForegroundColor "Green"
Write-Host "SSO mode filter: " $ssoMode -BackgroundColor "Black" -ForegroundColor "Green"
Write-Host " "

foreach ($item in $aadapApp) {
    $aadapTemp = Get-AzureADApplicationProxyApplication -ObjectId $item.ObjectId 
    if ($ssoMode -eq "All" -Or $aadapTemp.SingleSignOnSettings.SingleSignOnMode -eq $ssoMode) {
      $aadapServPrinc[$aadapApp.IndexOf($item)].DisplayName + " (AppId: " + $aadapServPrinc[$aadapApp.IndexOf($item)].AppId + ")";    

      Write-Host "External Url: " $aadapTemp.ExternalUrl
      Write-Host "Internal Url: " $aadapTemp.InternalUrl
      Write-Host "Pre authentication type: " $aadapTemp.ExternalAuthenticationType
      Write-Host "SSO mode: " $aadapTemp.SingleSignOnSettings.SingleSignOnMode

      If ($aadapTemp.SingleSignOnSettings.SingleSignOnMode -eq "OnPremisesKerberos") {

      Write-Host "Service Principal Name (SPN): " $aadtemp.SingleSignOnSettings.KerberosSignOnSettings.KerberosServicePrincipalName
      Write-Host "Username Mapping Attribute: " $aadapTemp.SingleSignOnSettings.KerberosSignOnSettings.KerberosSignOnMappingAttributeType

      Write-Host "Backend Application Timeout: " $aadapTemp.ApplicationServerTimeout
      Write-Host "Translate URLs in Headers: " $aadapTemp.IsTranslateHostHeaderEnabled
      Write-Host "Translate URLs in Application Body: " $aadapTemp.IsTranslateLinksInBodyEnabled
      Write-Host "Use HTTP-Only Cookie: " $aadapTemp.IsHttpOnlyCookieEnabled
      Write-Host "Use Secure Cookie: " $aadapTemp.IsSecureCookieEnabled
      Write-Host "Use Persistent Cookie: " $aadapTemp.IsPersistentCookieEnabled
      If ($aadapTemp.VerifiedCustomDomainCertificatesMetadata.Thumbprint.Length -ne 0) {
      Write-Host "SSL Certificate details:"
      Write-Host "Certificate SubjectName: " $aadapTemp.VerifiedCustomDomainCertificatesMetadata.SubjectName
      Write-Host "Certificate Thumbprint: " $aadapTemp.VerifiedCustomDomainCertificatesMetadata.Issuer
      Write-Host "Certificate Thumbprint: " $aadapTemp.VerifiedCustomDomainCertificatesMetadata.Thumbprint
      Write-Host "Valid from: " $aadapTemp.VerifiedCustomDomainCertificatesMetadata.IssueDate
      Write-Host "Valid to: " $aadapTemp.VerifiedCustomDomainCertificatesMetadata.ExpiryDate
      Write-Host ""

Write-Host ("")
Write-Host ("Finished.") -BackgroundColor "Black" -ForegroundColor "Green"
Write-Host ("")

Script explanation

Command Notes
Get-AzureADServicePrincipal Gets a service principal.
Get-AzureADApplication Gets a Microsoft Entra application.
Get-AzureADApplicationProxyApplication Retrieves an application configured for Application Proxy in Microsoft Entra ID.

Next steps

For more information on the Azure AD PowerShell module, see Azure AD PowerShell module overview.

For other PowerShell examples for Application Proxy, see Azure AD PowerShell examples for Microsoft Entra application proxy.