Microsoft Entra Application Proxy: Secure Remote Access to On-Premises Apps for Berlin Businesses
Microsoft Entra Application Proxy enables secure remote access to on-premises web applications through Entra ID authentication — without requiring VPN, opening inbound firewall ports, or exposing the application server directly to the internet. The Application Proxy connector, installed on-premises, creates an outbound-only connection to the Entra Application Proxy service in Azure, which proxies authenticated user requests back to the on-premises application over this channel. For Berlin small businesses running legacy web applications, internal portals, or line-of-business applications that cannot be moved to the cloud, Application Proxy provides a zero-trust remote access path that eliminates the VPN complexity for application access scenarios.
How Application Proxy Works
Application Proxy deployment involves three components: a connector group (one or more lightweight connectors installed on Windows Server machines on-premises), an enterprise application registration in Entra ID with the internal URL and external URL configured, and user assignment to the application. Users access the application via the external URL (e.g., myapp.msappproxy.net or a custom domain), authenticate against Entra ID, and the Application Proxy service forwards authenticated requests to the internal URL through the connector. The application receives the request appearing to come from the connector machine — no inbound firewall rules are required on the application server.
Single sign-on (SSO) for Application Proxy applications is supported through several mechanisms: Kerberos Constrained Delegation (KCD) for applications that support Windows Integrated Authentication, header-based SSO for applications that accept identity in HTTP headers, SAML-based SSO for SAML-capable on-premises applications, and password-based SSO that stores and injects credentials. KCD-based SSO is the most common for IIS-hosted intranet applications, allowing users who authenticate to Entra ID to be transparently authenticated to the on-premises application using Kerberos without entering a second password.
Conditional Access and MFA Enforcement
Because Application Proxy integrates with Entra ID as a standard enterprise application, all Conditional Access capabilities apply: MFA can be required for remote access to on-premises applications, device compliance can be enforced, sign-in risk can trigger step-up authentication, and named location policies can restrict access to specific countries or IP ranges. This means a legacy on-premises application that has no native MFA capability can have MFA enforced at the Entra ID proxy layer, upgrading its effective security posture without modifying the application code.
Application Proxy vs. VPN for Application Access
Traditional site-to-site or client VPN for application access grants broad network access — users on VPN can reach any on-premises resource, not just the specific application they need. Application Proxy applies the principle of least privilege at the application layer: each application is published separately, users are assigned only to applications they need, and no network-level access is granted. This limits lateral movement risk: a compromised remote device on VPN can probe the entire on-premises network, while a compromised Application Proxy session is limited to the specific application’s HTTP surface. For Berlin SMBs with a handful of on-premises web applications, Application Proxy is often a more appropriate solution than maintaining and securing a VPN infrastructure.
High Availability and Connector Groups
Connector groups allow multiple connector machines to be pooled for high availability and geographic proximity. For organizations with multiple sites, connector groups can be configured per site — applications hosted in the Berlin office use the Berlin connector group, applications hosted in a remote office use that office’s connector group. A minimum of two connectors per group is recommended for production availability: if one connector machine is patched or rebooted, the other continues serving requests without interruption. Connectors update automatically and require no manual maintenance once deployed.
Running on-premises web applications that remote employees need to access securely from Berlin or abroad? IT Experts Berlin deploys Application Proxy connectors, configures SSO for on-premises applications, and integrates with Conditional Access to enforce MFA and device compliance for remote application access.
Related Articles
- Microsoft Entra Conditional Access: Application Proxy publishes on-premises apps as Entra ID enterprise applications, making all Conditional Access capabilities available — MFA, device compliance, sign-in risk, and location restrictions can all be enforced for remote access to on-premises applications without modifying the application itself
- Microsoft Entra Multifactor Authentication: MFA enforcement for Application Proxy applications is configured through Conditional Access — legacy on-premises applications with no native MFA capability receive MFA enforcement at the Entra ID proxy layer, upgrading their effective security posture without application code changes
- Microsoft Entra Privileged Identity Management: On-premises administrative applications published via Application Proxy — such as server management consoles, backup management interfaces, or network device portals — can have PIM-based just-in-time access policies applied, requiring explicit activation before privileged access is granted
- Microsoft Entra Global Secure Access: Application Proxy and Global Secure Access are complementary access solutions — Application Proxy handles web-based on-premises applications via reverse proxy while Global Secure Access handles non-web protocols and full network traffic tunneling, together covering the full range of on-premises access scenarios