We have an internal web application for administration, which needs to be available externally as well as internally. The Azure Application Proxy works perfectly for this, but there is one problem. The access to the Batch API is within the same address as the user portal, and requires direct access. So to make this work we need to set the pre-auth to passthrough, which mean we rely on the security of the web app login to be robust, and we cannot use conditional access.
On TMG we got round this by pinging off the path /api, but this doesn't appear to be possible in the Azure Application Proxy.
What we would like is for the main user portal to have Azure Active Directory pre-auth enabled, and whilst still allowing access to the batch api.
So far I have set up URL Rewrite on an internal IIS server, and I am able to swing the API requests through this on a separate app with a unique name. Maybe this is the solution?
If anyone has any idea an a better way of doing this I'd love to hear from you. As you can tell from the above I'm no expert at API access!