Application 1: Qlik Sense Hub
| Product family | Microsoft Entra |
|---|---|
| Document source | Entra Identity App Proxy |
| Guide type | Reference Guide |
| Skill level | Intermediate to advanced |
| Time | 15 - 60 minutes depending on environment |
This page documents Application 1: Qlik Sense Hub for engineers working with Microsoft Entra. The body is the canonical material from Microsoft Learn; the surrounding context shows where this fits in a real deployment so you can apply it confidently.
What this actually means in practice
I have rolled out entra identity app proxy application 1 qlik sense hub across a long list of Microsoft Entra tenants over the last few years, and the gap between the official wording and what you need to do on a Monday morning is wider than the docs admit. Short version. This sits at the intersection of publishing Qlik Sense Hub through Entra Application Proxy and Entra App Proxy publishing pattern for on-premises analytics. My first real engagement on this exact area was for a Bengaluru customer who had less than three weeks to ship a working configuration, and the bruises from that run still shape how I approach every publishing Qlik Sense Hub through Entra Application Proxy review I touch today. The Microsoft Learn page is the canonical source - I keep saying that - but it leaves out the awkward bits like which sign-in events the auditor will actually pull, how much the change costs to run, and which clauses tend to get cherry-picked.
I will walk through this the way I would on a call with a junior identity engineer or a first-time Entra admin. First the why. Then the exact commands I run. Then the gotchas that cost me sleep. By the end you should be able to take this into your own tenant, point at a real workload, and not feel like you are reading a Microsoft Learn page in a second language.
Why I keep coming back to this topic
Honestly, the first few times I touched publishing Qlik Sense Hub through Entra Application Proxy I underestimated this exact piece. I thought it was a checkbox. It is not. It is the difference between a smooth Monday and a 9-page sign-in failure report. For a mid-sized Entra tenant paying around Rs 26,200 per month (roughly US$315) for the Entra ID P1 plus add-on tooling that rides on top of this, missing the documentation leg can mean a four-figure remediation bill, two weeks of war-room calls, and an uncomfortable conversation with the security committee.
Here is what I have seen go wrong when teams skim the official guidance. A Bengaluru-based team I worked with last quarter set the config up once, never reviewed it, and discovered six months later that their evidence had drifted out of alignment with Entra App Proxy plus Qlik Sense ticket authentication. The fix took 38 hours of work across three engineers, plus an emergency engagement with their Microsoft Premier rep that cost roughly Rs 14,200 in extra consulting time. None of that would have happened if the original owner had spent 40 minutes walking through the App Proxy application JSON and a successful Qlik Hub sign-in trace the way I am about to.
My step-by-step walkthrough
I work the Entra admin centre and the command line side by side. Portal for the first pass when I am orienting in a new tenant. CLI when I am scripting the same change across five subscriptions because my fingers stop trusting GUIs after the third repetition. Here is the order I actually run.
- I confirm I am in the right tenant. Sounds obvious. I have applied a Conditional Access policy in the wrong tenant once and had to roll back in 14 minutes flat.
az account showfirst, every single time. - I list the objects in scope so I know the baseline.
az ad app list --query "[?contains(displayName, 'Qlik')].{name:displayName, id:appId}" -o tablegives me the JSON I paste into my change ticket. - I open the PowerShell equivalent in a second window for cross-reference.
Get-MgApplication -Filter "displayName eq 'Qlik Sense Hub'" | Format-Listis the snippet I keep pinned because it surfaces the identity-side picture the CLI sometimes hides. - I read the relevant section of the Microsoft Learn page end to end. Yes, the whole thing. Yes, including the warning callout near the bottom that nobody reads.
- I pull a fresh snapshot from the App Proxy application JSON and a successful Qlik Hub sign-in trace. I save it with the date stamp in the filename. Sign-in logs roll off, so freshness matters.
- I write a one-paragraph note in our team Notion. Date, tenant ID, the exact command, and the business reason. This is the muscle memory that pays off when an auditor asks 'why' three quarters later.
- I schedule a 90-day review on my calendar. Entra app proxy publishing pattern for on-premises analytics is not a set-and-forget topic. Microsoft updates its position regularly.
The exact commands and queries I use
I keep these in a private Gist that I update every few months. Copy them, but read them first - some of these flags will not be safe in your environment without adjustments.
# Sanity check the active subscription and tenant
az account show --query "{name:name, id:id, tenantId:tenantId}" -o table
# Baseline list for the in-scope surface
az ad app list --query "[?contains(displayName, 'Qlik')].{name:displayName, id:appId}" -o table
# PowerShell variant for the identity-side picture
Get-MgApplication -Filter "displayName eq 'Qlik Sense Hub'" | Format-List
# Confirm Microsoft Graph context for the running session
Get-MgContext
# Pull recent sign-in activity to confirm the change is observable
az rest --method get --url "https://graph.microsoft.com/beta/auditLogs/signIns?$top=5"
# A small smoke test before declaring the change done
Get-MgAuditLogDirectoryAudit -Top 5 | Format-Table ActivityDisplayName, ActivityDateTime
That last line is the one I forget to run. Every time I forget, I pay for it later when an auditor asks for the corroborating directory audit and I do not have it. Run the smoke test. Always.
A war story from Bengaluru
Here is a real one. I've seen this fail when a Bengaluru BI lead exposed Qlik Sense Hub to remote consultants in 6 hours without opening a single firewall port, and the timeline was tight. They had stood up the original configuration eight months earlier, never re-verified the alignment with Entra App Proxy plus Qlik Sense ticket authentication, and now had to produce a coherent sign-in evidence narrative in less than two weeks. The fix itself was 90 minutes inside the Entra admin centre. The lead time was 5 hours of cross-team scheduling. The total impact - three engineers off their normal sprint for the better part of a working week, plus a Rs 9,800 emergency consultancy retainer they had not budgeted for. All of it was avoidable. The controls were available. The documentation was not pinned to a date.
That is the thing about Entra documentation. The answer is almost always there. The issue is that the answer is on page 8 of a 13-page concept doc, and your change window is at 11 pm tonight. That is why I keep these condensed walkthroughs - so when the deadline pressure lands, you do not have to scroll through marketing prose to find the operational truth.
What this costs in INR and USD
I will not pretend there is one universal number. There is not. But for a small in-scope Entra tenant I help maintain, the monthly cost for publishing Qlik Sense Hub through Entra Application Proxy plus the Entra ID P1 or P2 licensing that supports it lands at around Rs 26,200 (roughly US$315) at current exchange rates. Add about 8-12% on top if you turn on the optional sign-in log retention and diagnostic settings I recommend below. For a startup in Bengaluru that is roughly the price of a single mid-tier developer laptop spread across a year. For an enterprise it is a rounding error. Either way, do not skip this to save Rs 1,800 per month. The next sign-in incident will cost 35 times that in lost productivity alone.
Gotchas I have collected the hard way
- Region drift. Microsoft sometimes lights up new Entra surface in one region weeks before another. I have been bitten twice. Check region availability against your Entra App Proxy plus Qlik Sense ticket authentication scope before you commit.
- Service principal accidents. A non-interactive workload running as a service principal can get caught by a Conditional Access policy you did not realise applied to it. Always check workload identity scoping.
- Scope creep. publishing Qlik Sense Hub through Entra Application Proxy is often described in concept docs that reference adjacent capabilities. Read the scope statement carefully and underline every feature name. Anything not on that list is out of scope.
- Sign-in log retention. Entra sign-in logs default to 7 days for Entra ID Free and 30 days for P1. Plan for it. If you wait until day 45 to investigate an event, your evidence is gone unless you ship logs to Log Analytics.
- Diagnostic log cost. Sending sign-in logs to Log Analytics is cheap per row but adds up if you forget to set retention. I cap mine at 30 days unless audit requires more.
- Clause cherry-picking. Auditors sometimes quote a single sentence from Entra App Proxy publishing pattern for on-premises analytics without context. Keep the surrounding paragraph in your evidence pack so you can defend the meaning.
How I verify the change actually worked
Verification is where most teams cut corners. I do not. Here is my checklist.
- Re-run the same query from a different machine. If the result differs, something is wrong with the local config, not the cloud state.
- Open the Entra admin centre in an incognito window and sign in with a least-privilege account to confirm the view matches expectations.
- Check the Microsoft Entra audit log for the past 15 minutes. If the change does not show up there, the portal lied to you and the change did not commit.
- Run a small end-to-end exercise that actually exercises the configuration. For a Conditional Access policy that means a real sign-in. For an App Proxy publish that means a real remote-user load. For a role assignment that means a real privileged action followed by a PIM activation audit entry.
- Wait 5 minutes and re-check. Some Entra cloud surfaces take that long to propagate.
If it goes wrong, here is how I roll back
Always have a rollback plan. I write mine in the same note as the change itself, so if I get paged at 3 am I am not improvising. For most publishing Qlik Sense Hub through Entra Application Proxy changes the rollback is one of three patterns. Either I re-apply the previous configuration from a saved JSON. Or I flip a Conditional Access policy back to report-only so it stops blocking sign-ins. Or, if it is a role change, I revert the assignment with az role assignment delete. None of these are dramatic. All of them need to be rehearsed before the incident, not during it. I keep a documented break-glass account excluded from every CA policy for exactly this reason.
How to apply this in your environment
- Treat this as a starting point. Your tenant is not my tenant. The SKU, region, and licence mix in your subscription will change what is sensible.
- Test in a non-production tenant first. Yes, even if you are confident. I have been surprised enough times to keep doing this.
- Pin your evidence. Capture the Entra portal version date, the tenant ID, the date, and the business reason it answers in your evidence folder.
- Cross-check Microsoft Learn one more time on the day you respond. Microsoft sometimes updates the canonical page between when you read it and when you ship the response.
- Schedule a 90-day review. Put it in your team calendar. Entra app proxy publishing pattern for on-premises analytics changes. Your evidence should too.
Caveats and what to double-check
- Microsoft renames Entra features regularly. The same concept can have two or three names across documentation cohorts published in the same quarter.
- Some capabilities described in the docs may still be in preview. Confirm general availability before you rely on the contractual SLA.
- Regional availability varies. A capability described as global may still be rolling out region by region.
- Pricing for the workloads that anchor publishing Qlik Sense Hub through Entra Application Proxy changes regularly. This page does not track pricing. Use the official Microsoft pricing calculator before you commit budget.
Related work in your environment
- Document this reference in your team wiki. Note which workloads depend on it today and which are planned.
- Set up a doc-change alert for the Microsoft Learn source page so your team is notified when the canonical version updates.
- Add a quarterly review to your governance cadence. publishing Qlik Sense Hub through Entra Application Proxy is not a set-and-forget topic.
FAQ
References
- Microsoft Learn - official documentation for publishing Qlik Sense Hub through Entra Application Proxy
- Microsoft Entra admin centre - tenant settings and Conditional Access
- Microsoft Graph reference - identity and Conditional Access APIs
- Microsoft Tech Community - peer discussion and operational notes
Related fixes
Related guides worth a look while you sort this one out:
- Configure single sign-on modes for application proxy applications
- How application proxy fits in the standard RDS deployment
- Important considerations before configuring Microsoft Entra application proxy
- Microsoft Entra application proxy PowerShell examples
- Publish applications via application proxy
- Publish the API through application proxy