Azure App Proxy Evaluation
Evaluation of Microsoft Entra Application Proxy for providing secure external access to PSI web applications without VPN, with Entra ID pre-authentication, Conditional Access, and M365 integration.
Requirements
| Requirement | Description |
|---|---|
| External access without VPN | Users access PSI web apps from outside the corporate network |
| User/group assignment | Assign specific apps to specific users or groups |
| M365 app launcher | Apps appear in users’ My Apps portal and Office 365 waffle menu |
| MFA / Conditional Access | Entra ID pre-authentication with MFA and CA policies enforced before app access |
What is Entra Application Proxy?
Microsoft Entra Application Proxy is a reverse proxy service that publishes internal web applications to an external URL. It consists of three components:
- Application Proxy cloud service — runs in Azure, handles the external URL endpoint
- Private network connector — lightweight agent on a Windows Server VM inside the corporate network, makes outbound-only connections to the cloud service
- Microsoft Entra ID — identity provider handling pre-authentication, Conditional Access, and SSO
External User (Browser)
│
│ HTTPS (external URL)
▼
┌──────────────────────────┐
│ Entra Application Proxy │
│ (Cloud Service) │
│ │
│ ┌────────────────────┐ │
│ │ Entra ID │ │
│ │ Pre-authentication │ │
│ │ • MFA │ │
│ │ • Conditional Access│ │
│ │ • User assignment │ │
│ └────────────────────┘ │
└──────────┬───────────────┘
│
│ Outbound connection only
│ (no inbound firewall rules)
▼
┌──────────────────────────┐
│ Private Network │
│ Connector │
│ (Windows Server VM on │
│ PS-SERVERS subnet) │
└──────────┬───────────────┘
│
│ Internal network
▼
┌──────────────────────────┐
│ App Service │
│ (Private Endpoint) │
│ e.g., 10.160.0.17 │
└──────────────────────────┘
No inbound firewall ports are opened. The connector establishes outbound HTTPS connections to the cloud service.
How It Maps to PSI Requirements
External Access Without VPN
App Proxy publishes internal apps at an external URL (either https://appname-progressivesurface.msappproxy.net or a custom domain like https://appname.progressivesurface.com). Users access this URL from any network — no VPN client needed.
The connector VM, sitting on the PS-SERVERS subnet, resolves the private endpoint IPs and forwards traffic internally. This works with the existing publicNetworkAccess=Disabled configuration — the connector bypasses public access restrictions because it connects over the private endpoint.
User/Group Assignment
Each app published through App Proxy is registered as an Enterprise Application in Entra ID. Admins assign users or security groups to each app individually. Only assigned users can access the app — unassigned users get an access denied page.
This is exactly the per-app, per-user control requested.
M365 App Launcher Integration
Apps published through App Proxy automatically appear in:
- My Apps portal (myapps.microsoft.com) for assigned users
- Office 365 waffle menu (app launcher) for assigned users
PSI already has PSI Explorer and PSI Portal registered as Enterprise Applications (content/development/deploy-to-azure.md:79-83). App Proxy would extend this to all published apps, with the added benefit that clicking the app from My Apps works from anywhere — not just on VPN.
MFA and Conditional Access
When Entra ID pre-authentication is enabled (the default and recommended mode), every request goes through Entra ID before reaching the connector or the app. This means:
- MFA policies are enforced at the proxy layer
- Conditional Access policies evaluate before traffic ever reaches the internal network
- Policies can be targeted per-app (e.g., require MFA for Redbook Web from outside the corporate network, but not for PSI Portal from managed devices)
- Device compliance, location, sign-in risk, and user risk can all be evaluated
This is stronger than the current EasyAuth setup, where authentication happens at the App Service level after traffic has already reached the app.
Architecture for PSI
Proposed Architecture
┌─────────────────────────────────────────────────────────────────────────┐
│ INTERNET │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Remote User │ │ Field Eng. │ │ Customer │ │
│ │ (Home/VPN- │ │ (Job Site) │ │ (Assigned) │ │
│ │ free) │ │ │ │ │ │
│ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │
│ └─────────────────┼─────────────────┘ │
│ │ │
│ │ HTTPS │
│ ▼ │
│ ┌──────────────────────────────┐ │
│ │ Microsoft Entra ID │ │
│ │ ┌────────────────────────┐ │ │
│ │ │ Pre-Authentication │ │ │
│ │ │ • MFA required │ │ │
│ │ │ • Conditional Access │ │ │
│ │ │ • User assignment check│ │ │
│ │ │ • Device compliance │ │ │
│ │ └────────────────────────┘ │ │
│ │ │ │
│ │ Application Proxy Service │ │
│ └──────────────┬───────────────┘ │
│ │ │
└──────────────────────────┼───────────────────────────────────────────────┘
│ Outbound HTTPS (connector-initiated)
│
┌──────────────────────────┼───────────────────────────────────────────────┐
│ Azure VNet (PS-VNMAIN) │
│ │ │
│ ┌───────────────────────┴───────────────────────────────────────┐ │
│ │ PS-SERVERS Subnet (10.160.0.0/23) │ │
│ │ │ │
│ │ ┌─────────────────┐ │ │
│ │ │ Connector VM │ Private Endpoints: │ │
│ │ │ (Windows Server)│ │ │
│ │ │ 10.160.0.X │──── psi-portal (10.160.0.6) │ │
│ │ │ │──── psi-explorer-web (10.160.0.17) │ │
│ │ │ 2+ connectors │──── ps-project-explorer(10.160.140.10) │ │
│ │ │ recommended │──── redbook-web (10.160.x.x) │ │
│ │ └─────────────────┘──── dmt (10.160.x.x) │ │
│ │ │ │
│ └───────────────────────────────────────────────────────────────┘ │
│ │
│ Current VPN users continue to access apps directly │
│ │
└──────────────────────────────────────────────────────────────────────────┘
Connector VM
A Windows Server VM on the PS-SERVERS subnet running the Microsoft Entra private network connector. Requirements:
| Requirement | Minimum |
|---|---|
| OS | Windows Server 2016+ |
| CPU / RAM | 4 vCPUs / 8 GB RAM recommended |
| Network | On PS-SERVERS subnet (same as private endpoints) |
| Outbound access | HTTPS to *.msappproxy.net, *.servicebus.windows.net |
| Domain join | Entra ID joined or hybrid joined |
| Connectors | 2+ per connector group (HA recommended) |
The existing ps-cicd-runner (Ubuntu, 10.160.0.9) cannot host the connector — it requires Windows. A new Windows Server VM would be needed, or the connector could be installed on an existing Windows Server already on the subnet.
Dual-Access Model
App Proxy does not replace VPN access. Both paths coexist:
- Onsite / VPN users → access apps directly via private endpoint DNS (current behavior, unchanged)
- External users → access apps via App Proxy external URL (new capability)
No changes to the current private endpoint or DNS configuration are required.
App-by-App Assessment
Strong Candidates for App Proxy
| App | URL | Why |
|---|---|---|
| PSI Portal | portal.progressivesurface.com | Central launcher — should be accessible anywhere for remote workers |
| PSI Explorer | explorer.progressivesurface.com | Field engineers at customer sites need BOM lookups |
| Project Explorer | projects.progressivesurface.com | Project managers traveling or working remotely |
| Redbook Web | redbook.progressivesurface.com | Quality issues can be logged from job sites |
| ERP Migration Tool | dmt.progressivesurface.com | External consultants or remote data migration work |
Keep VPN-Only
| App | URL | Why |
|---|---|---|
| UniData API | api.progressivesurface.com | Backend service, not user-facing — no need for external exposure |
| MES | psmes.progressivesurface.com | Manufacturing floor app — users are always onsite |
| Redbook Dashboard | ps-redbook-dashboard.azurewebsites.net | Analytics dashboard, typically used onsite by management |
Special Consideration
| App | URL | Notes |
|---|---|---|
| PSI Wiki | wiki.progressivesurface.com | Already a Static Web App (publicly accessible via Entra auth). Could add App Proxy for consistency, but may not need it since SWA auth already works externally. |
Authentication Interaction
Current Setup
PSI apps use two auth patterns:
- EasyAuth (App Service platform auth) — PSI Explorer, PSI Portal, Project Explorer
- MSAL.js (client-side) — ERP Migration Tool
With App Proxy
App Proxy adds pre-authentication before EasyAuth. There are two options:
Option A: App Proxy pre-auth + EasyAuth (double auth)
- Pros: Defense in depth, no changes to existing apps
- Cons: Users may see two login prompts (App Proxy, then EasyAuth) unless SSO is configured correctly
- Mitigation: Configure the App Proxy app and the EasyAuth app registration with the same Entra app registration, so the token from App Proxy satisfies EasyAuth
Option B: App Proxy pre-auth only, disable EasyAuth
- Pros: Single sign-on, simpler flow
- Cons: Removes auth when accessing via VPN directly (unless VPN users also go through App Proxy)
- Not recommended for PSI since VPN users should still have auth
Recommended: Option A with shared app registration. Keep EasyAuth on the App Services. Configure the App Proxy enterprise app and EasyAuth to use the same Entra app registration so that the SSO token flows through seamlessly. VPN users still authenticate via EasyAuth directly; external users get App Proxy pre-auth that seamlessly passes through to EasyAuth.
Licensing
Requirements
App Proxy requires Entra ID P1 (minimum). P1 includes:
- Application Proxy
- Conditional Access
- MFA
- Self-Service Password Reset
Cost
| License | Price | Notes |
|---|---|---|
| Entra ID P1 (standalone) | ~$6/user/month | Only users accessing App Proxy apps need P1 |
| M365 E3 | Includes P1 | If PSI already has E3 licensing, no additional cost |
| M365 Business Premium | Includes P1 | If PSI already has Business Premium, no additional cost |
| M365 E5 | Includes P2 | Includes everything |
Key point: If PSI users already have M365 E3 or Business Premium licenses, Application Proxy is included at no additional cost. Only the connector VM infrastructure cost is added.
Connector VM Cost
| VM Size | Monthly Cost (estimate) |
|---|---|
| B2s (2 vCPU, 4 GB) | ~$30/month |
| B2ms (2 vCPU, 8 GB) | ~$60/month |
| D2s_v5 (2 vCPU, 8 GB) | ~$70/month |
Two VMs recommended for high availability: ~$60-140/month total.
Implementation Steps
Phase 1: Connector Setup
- Deploy a Windows Server VM on PS-SERVERS subnet (or reuse an existing Windows Server)
- Install Microsoft Entra private network connector
- Verify outbound connectivity to
*.msappproxy.net - Install a second connector on a separate VM for HA
- Create a connector group in Entra admin center
Phase 2: Pilot App (PSI Portal)
- Register PSI Portal as an App Proxy application in Entra admin center
- Configure internal URL:
https://portal.progressivesurface.com(private endpoint resolves internally from connector) - Configure external URL:
https://portal-progressivesurface.msappproxy.netor custom domain - Enable Entra ID pre-authentication
- Assign pilot users/groups
- Test access from outside VPN
- Verify app appears in My Apps portal
Phase 3: Conditional Access Policies
- Create CA policy targeting App Proxy enterprise apps
- Require MFA for access from outside corporate network
- Optionally require device compliance
- Test policy enforcement
Phase 4: Roll Out Remaining Apps
- Publish PSI Explorer, Project Explorer, Redbook Web, ERP Migration Tool
- Assign appropriate user groups to each app
- Configure per-app Conditional Access if needed
- Verify SSO flows (App Proxy → EasyAuth)
Phase 5: Custom Domains (Optional)
- Configure custom external domains (e.g.,
portal-ext.progressivesurface.com) - Add DNS records and SSL certificates
- Update user-facing documentation
Risks and Considerations
| Risk | Mitigation |
|---|---|
| Double authentication prompts | Use shared Entra app registration between App Proxy and EasyAuth |
| Connector VM availability | Deploy 2+ connectors across separate VMs |
| Latency for external users | Connector is in North Central US (same as App Services) — low latency |
| UniData API dependency | PSI Explorer and Project Explorer call api.progressivesurface.com. The API is VPN-only. App Proxy requests come from the connector VM (on the VNet), so API calls from the App Service still work — the App Service itself is on the VNet via VNet integration. No change needed. |
| DNS split-brain | Internal users resolve portal.progressivesurface.com to 10.160.0.6 (private endpoint). External users hitting the App Proxy URL go through the cloud service. No DNS conflict. |
| Connector updates | Connectors auto-update. Monitor for update failures. |
Comparison: App Proxy vs. Alternatives
| Capability | App Proxy | Azure Front Door + Private Link | Just Allow Public Access |
|---|---|---|---|
| Entra ID pre-auth | Built-in | Requires EasyAuth/MSAL on app | Requires EasyAuth/MSAL on app |
| Conditional Access | Enforced before traffic reaches network | Enforced at app level | Enforced at app level |
| M365 My Apps integration | Automatic for assigned users | Manual Enterprise App registration | Manual Enterprise App registration |
| User assignment | Built-in per-app | Via Enterprise App config | Via Enterprise App config |
| No inbound firewall rules | Correct (outbound-only connector) | Requires private link config | Requires removing publicNetworkAccess=Disabled |
| Infrastructure | 1-2 Windows Server VMs | Azure Front Door Premium (~$330/mo) | None |
| Complexity | Low-medium | Medium-high | Low (but weaker security) |
| Cost | P1 license (likely already have) + ~$60-140/mo VMs | ~$330/mo + Private Link fees | Free |
App Proxy is the best fit for PSI’s requirements. It provides all four requested capabilities (external access, user assignment, M365 integration, MFA/CA) with the lowest incremental cost and complexity, assuming P1 licensing is already in place.
Verdict
App Proxy is a strong fit for PSI. It directly addresses all four requirements:
- External access without VPN — connector-based reverse proxy, no firewall changes
- Per-user app assignment — built into the Enterprise Application model
- M365 app launcher — automatic for assigned users
- MFA / Conditional Access — enforced at the proxy layer before traffic enters the network
The main prerequisites are:
- Entra ID P1 licensing (likely already included with M365 E3 or Business Premium)
- 1-2 Windows Server VMs on PS-SERVERS subnet (~$60-140/month)
- Connector installation (lightweight, auto-updating agent)
The existing private endpoint architecture remains unchanged. VPN users continue to access apps directly. App Proxy adds a parallel external access path with stronger pre-authentication.
Recommended Next Step
Start with a pilot: publish PSI Portal through App Proxy, assign a test group, and validate the full flow (external access → Entra pre-auth → MFA → app access → My Apps visibility).
Future Consideration: Entra Private Access
Microsoft is evolving App Proxy into Entra Private Access, which extends beyond HTTP/HTTPS to support TCP/UDP protocols (RDP, SSH, SMB, etc.). This could eventually replace VPN entirely for PSI. However, it requires:
- Additional licensing ($5/user/month on top of P1)
- Global Secure Access client installed on all devices
- Devices registered in Entra ID
App Proxy is the practical starting point. Entra Private Access can be evaluated later if VPN replacement becomes a goal.
Related Pages
- Azure App Proxy Implementation — Step-by-step implementation guide (PSI Explorer POC)
- Deploy to Azure — Current web app architecture and deployment
- Applications — PSI application inventory
- Data Brain — System and data architecture overview
Created: February 2026