Hi @Marc • Thank you for reaching out.
Application proxy provides access to on-premises applications from public network by mapping external URL to the internal URL. The external URL looks like either https://myapp-mytenant.msappproxy.net/
or https://myapp.myverifieddomain.com/
(which requires CName in public DNS of the myverifieddomain.com to point towards https://myapp-mytenant.msappproxy.net/
). This means, in any of these cases, request reaches the application proxy service hosted in Azure.
You can configure App Proxy for:
- Pre-authentication via AAD: If you have configured App Proxy with this option, you will be redirected to Azure AD and if MFA is required for the authenticating user account, it has to be performed.
- Pass-through: Azure AD pre-authentication is bypassed.
As far as step 4 is concerned, it has to be done in Local AD as the application is hosted in the on-premises and is protected by on-prem AD and it is not aware of / integrated with Azure AD. If the application allows anonymous access, this step would not be required but it cannot be performed against Azure AD.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.