Az - Application Proxy

Support HackTricks

Basic Information

From the docs:

Azure Active Directory's Application Proxy provides secure remote access to on-premises web applications. After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal.

It works like this:

  1. After the user has accessed the application through an endpoint, the user is directed to the Azure AD sign-in page.

  2. After a successful sign-in, Azure AD sends a token to the user's client device.

  3. The client sends the token to the Application Proxy service, which retrieves the user principal name (UPN) and security principal name (SPN) from the token. Application Proxy then sends the request to the Application Proxy connector.

  4. If you have configured single sign-on, the connector performs any additional authentication required on behalf of the user.

  5. The connector sends the request to the on-premises application.

  6. The response is sent through the connector and Application Proxy service to the user.


# Enumerate applications with application proxy configured 
Get-AzureADApplication | %{try{Get-AzureADApplicationProxyApplication -ObjectId $_.ObjectID;$_.DisplayName;$_.ObjectID}catch{}}

# Get applications service principal
Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -eq "Name"}

# Use the following ps1 script from
# to find users and groups assigned to the application. Pass the ObjectID of the Service Principal to it
Get-ApplicationProxyAssignedUsersAndGroups -ObjectId <object-id>


Support HackTricks

Last updated