Working with custom domains in Azure AD Application Proxy
When you publish an application through Azure Active Directory Application Proxy, you create an external URL for your users to go to when they're working remotely. This URL gets the default domain yourtenant.msappproxy.net. For example, if you published an app named Expenses and your tenant is named Contoso, then the external URL would be
https://expenses-contoso.msappproxy.net. If you want to use your own domain name, configure a custom domain for your application.
We recommend that you set up custom domains for your applications whenever possible. Some of the benefits of custom domains include:
- Your users can get to the application with the same URL, whether they are working inside or outside of your network.
- If all of your applications have the same internal and external URLs, then links in one application that point to another continue to work even outside the corporate network.
- You control your branding, and create the URLs you want.
Configure a custom domain
Before you configure a custom domain, make sure that you have the following requirements prepared:
- A verified domain added to Azure Active Directory.
- A custom certificate for the domain, in the form of a PFX file.
- An on-premises app published through Application Proxy.
Configure your custom domain
When you have those three requirements ready, follow these steps to set up your custom domain:
Sign in to the Azure portal.
Navigate to Azure Active Directory > Enterprise applications > All applications and choose the app you want to manage.
Select Application Proxy.
In the External URL field, use the dropdown list to select your custom domain. If you don't see your domain in the list, then it hasn't been verified yet.
The Certificate field that was disabled becomes enabled. Select this field.
If you already uploaded a certificate for this domain, the Certificate field displays the certificate information.
Upload the PFX certificate and enter the password for the certificate.
Select Save to save your changes.
Add a DNS record that redirects the new external URL to the msappproxy.net domain.
Check that the DNS record is configured correctly by using the nslookup command to see if your external URL is reachable and the msapproxy.net domain shows up as an alias.
You only need to upload one certificate per custom domain. Once you upload a certificate, you can choose the custom domain when you publish a new app and not have to do additional configuration except for the DNS record.
There is no restriction on the certificate signature methods. Elliptic Curve Cryptography (ECC), Subject Alternative Name (SAN), and other common certificate types are all supported.
You can use a wildcard certificate as long as the wildcard matches the desired external URL.
Changing the domain
All verified domains appear in the External URL dropdown list for your application. To change the domain, just update that field for the application. If the domain you want isn't in the list, add it as a verified domain. If you select a domain that doesn't have an associated certificate yet, follow steps 5-7 to add the certificate. Then, make sure you update the DNS record to redirect from the new external URL.
You can use the same certificate for multiple applications unless the applications share an external host.
You get a warning when a certificate expires, telling you to upload another certificate through the portal. If the certificate is revoked, your users may see a security warning when accessing the application. We don’t perform revocation checks for certificates. To update the certificate for a given application, navigate to the application and follow steps 5-7 for configuring custom domains on published applications to upload a new certificate. If the old certificate is not being used by other applications, it is deleted automatically.
Currently all certificate management is through individual application pages so you need to manage certificates in the context of the relevant applications.
Send feedback about: