Links

Az - Application Proxy

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

Basic Information

Azure Active Directory's Application Proxy provides secure remote access to on-premises web applications. After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal.
It works like this:
  1. 1.
    After the user has accessed the application through an endpoint, the user is directed to the Azure AD sign-in page.
  2. 2.
    After a successful sign-in, Azure AD sends a token to the user's client device.
  3. 3.
    The client sends the token to the Application Proxy service, which retrieves the user principal name (UPN) and security principal name (SPN) from the token. Application Proxy then sends the request to the Application Proxy connector.
  4. 4.
    If you have configured single sign-on, the connector performs any additional authentication required on behalf of the user.
  5. 5.
    The connector sends the request to the on-premises application.
  6. 6.
    The response is sent through the connector and Application Proxy service to the user.

Enumeration

# Enumerate applications with application proxy configured
Get-AzureADApplication | %{try{Get-AzureADApplicationProxyApplication -ObjectId $_.ObjectID;$_.DisplayName;$_.ObjectID}catch{}}
# Get applications service principal
Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -eq "Name"}
# Use the following ps1 script from https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/scripts/powershell-display-users-group-of-app
# to find users and groups assigned to the application. Pass the ObjectID of the Service Principal to it
Get-ApplicationProxyAssignedUsersAndGroups -ObjectId <object-id>

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: