Summary: The azure application proxy provides access to internal urls for your mobile users. It allow you to provide your users with an internet accessible url and it also show in your myapps.microsoft.com, making it easy accessible from your Intune Managed Browser.
Date: Around 2019
Refactor: 7 December 2024: Checked links and formatting.

From the server that will host the azure application proxy connector go to the azure portal https://portal.azure.com and:

• Select Azure Active Directory → Application proxy.
• Download connector and run the installation.

See here for more details.

The proxy needs internet access, so you need to configure one for the connector using powershell:

PS C:\Program Files> cd '.\Microsoft AAD App Proxy Connector\'
PS C:\Program Files\Microsoft AAD App Proxy Connector> .\ConfigureOutBoundProxy.ps1
 
cmdlet ConfigureOutBoundProxy.ps1 at command pipeline position 1
Supply values for the following parameters:
ProxyAddress: http://proxy:8080
 
 
Name            : system.net
LocalName       : system.net
NamespaceURI    :
...<cut>....
OuterXml        : <proxy />
BaseURI         :
PreviousText    :
 
The outbound proxy has been successfuly configured for the connector

The settings can be checked in the file C:\Program Files\Microsoft AAD App Proxy Connector:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <runtime>
    <gcServer enabled="true" />
  </runtime>
  <appSettings>
    <add key="TraceFilename" value="AadAppProxyConnector.log" />
  </appSettings>
  <system.net>
    <defaultProxy>
      <proxy proxyaddress="http://proxy:8080" bypassonlocal="True" usesystemdefault="True" />
    </defaultProxy>
  </system.net>
</configuration>

You can add an On Premise application quite simple. Just go to Azure Active Directory → Enterprise Applications → New Application and choose to add an On Premise Application.

You can usually leave all the defaults but I recommend to tweak the external url a little to make it easier to remember for you users.

If your internal application only runs on one server there is also a more simple solution, being to add a SPN for the server. Follow these steps to add single sign on for a simple one server application:

With an administrator account give the following command:

setspn -a HTTP/intranet intranetserver

Note that the “intranet” will show up later on the application server for the kerberos delegation and the “intranetserver” part is the server where the internal app is running.

With an administrator account start “Active Directory Users and Computers” and locate the computer object for the application proxy server. Click on the delegation tab and set the delegations accordingly:

• Trust this computer for delegation to specified services only
  • Use any authentication protocol

And click add to locate the SPN service for HTTP and add it:

Now the last step you need to do is enable and configure SSO in the Enterprise App in Azure AD. To do so, go to the Enterprise Application and click on Single Sign On and select “Integrated Windows Authentication”. Now fill in the SPN and leave the Delegated Login Identity on User Principal Name:

• Add an on-premises application for remote access through application proxy in Microsoft Entra ID
• Microsoft Entra application proxy documentation
• Add an on-premises application for remote access through application proxy in Microsoft Entra ID