Microsoft Entra Application Proxy: MFA, SSO, Conditional Access, and User Management Guide 2026

Why Microsoft Entra Application Proxy Breaks , And Why the Error Messages Don't Help

You've got a legacy web app sitting on a server in your datacenter. It works perfectly on the corporate LAN. Now your remote workers need to reach it, without a VPN, without punching firewall holes, and with real modern authentication in front of it. That's exactly the problem Microsoft Entra Application Proxy was built to solve. And yet, here you are, staring at a 404, a blank screen, or an AADSTS error code that reads like a filing cabinet fell on you.

I've seen this setup go sideways on dozens of tenants, and almost every time the root cause falls into one of a handful of categories. The first is connector misconfiguration, specifically, publishing an application without actually assigning a working connector group to it. The second is the onPremisesPublishing property sitting at its default state, meaning the app exists in Entra ID but the proxy tunnel to your internal network was never opened. Third, and this one stings, is a Kerberos constrained delegation misconfiguration that lets IWA-based SSO silently fail with error AADSTS50058 or AADSTS75011, both of which tell you almost nothing useful about where the chain broke.

The Entra Application Proxy setup also trips people up because the configuration is split across two different Microsoft Graph API endpoints: the stable v1.0 endpoint for the application registration itself, and the beta endpoint for the onPremisesPublishing properties. If you run your PATCH against v1.0 expecting to set externalUrl or internalUrl, the call succeeds, and does nothing. The schema just silently ignores properties it doesn't recognize at that endpoint version. That silent failure is maddening to debug.

On top of that, the Azure AD Application Proxy connector service (now branded under Entra) sometimes goes stale after Windows updates or certificate rotations. The connector shows "active" in the portal for up to 30 minutes after it's actually stopped communicating, so the UI gives you false confidence. And if you've set appRoleAssignmentRequired to true on the service principal (which the applicationTemplates instantiation does by default), any user who hasn't been explicitly assigned will get an AADSTS65001 access error even if they're in the right group.

The Microsoft Entra Application Proxy configuration process using Microsoft Graph is genuinely powerful once it clicks. You can automate entire app publishing pipelines from a script. But the multi-step dependency chain, app creation, then URI config, then onPremisesPublishing, then connector group assignment, then SSO mode, then user assignment, means that skipping or mis-ordering any single step breaks the whole thing. This guide walks every step in the correct sequence, grounded in official Microsoft documentation.

Browse all Microsoft fix guides →

The Quick Fix, Try This First

If your Microsoft Entra Application Proxy app registration exists but the external URL isn't routing correctly, there's one PATCH call that fixes the majority of cases: setting the onPremisesPublishing block on the beta endpoint with isOnPremPublishingEnabled set to true.

A lot of admins create the app registration through the portal or via a script targeting v1.0, get the app ID, set the redirect URIs, and then wonder why nothing comes through. The missing piece is the onPremisesPublishing property, which only exists on the beta endpoint. Here's what that PATCH looks like:

PATCH https://graph.microsoft.com/beta/applications/{your-app-object-id}
Content-Type: application/json

{
  "onPremisesPublishing": {
    "externalAuthenticationType": "aadPreAuthentication",
    "internalUrl": "https://your-internal-app.contoso.com",
    "externalUrl": "https://your-app-contoso.msappproxy.net",
    "isHttpOnlyCookieEnabled": true,
    "isOnPremPublishingEnabled": true,
    "isPersistentCookieEnabled": true,
    "isSecureCookieEnabled": true,
    "isStateSessionEnabled": true,
    "isTranslateHostHeaderEnabled": true,
    "isTranslateLinksInBodyEnabled": true
  }
}

If that returns 204 No Content, you're on the right track. Now go check whether a connector group has been assigned to this application, that's the other half of the equation. If no connector group is linked, the proxy has nowhere to forward the traffic, and the external URL will time out every time.

One more quick check: open the Entra admin center, navigate to Enterprise Applications → [Your App] → Application Proxy, and confirm the connector group dropdown is not showing "None". If it is, jump to Step 4 in this guide before testing again.

For users getting access errors rather than routing errors, specifically the AADSTS65001 "user has not consented" or "no role assignment" variant, the fix is an explicit appRoleAssignment POST for each user. That's covered in Step 5.

Advanced Troubleshooting for Microsoft Entra Application Proxy

Diagnosing Connector Problems

When an Application Proxy connector appears active in the portal but traffic still isn't flowing, the first place to look is the connector's local Windows Event Log. On the connector server, open Event Viewer → Applications and Services Logs → Microsoft → AadApplicationProxy → Connector → Admin. Event ID 12003 indicates a bootstrap failure, usually a TLS certificate problem or a blocked outbound connection to *.msappproxy.net on port 443. Event ID 12007 means the connector registered successfully but can't reach the backend service. Event ID 12011 points to a token acquisition failure, often because the system proxy settings on the connector server are intercepting and breaking the HTTPS connection to Azure endpoints.

Also check the connector's network path. The connector needs outbound access to *.msappproxy.net, *.servicebus.windows.net, and Microsoft's login endpoints. Many corporate firewalls do TLS inspection, and the connector's certificate pinning will fail silently when a firewall re-signs the certificate. The fix is a firewall bypass rule for those domains, not disabling TLS inspection globally.

Kerberos Delegation Errors

IWA-based SSO is where the App Proxy connector earns its complexity budget. The connector has to perform Kerberos constrained delegation on behalf of the user, which requires:

1. The connector's Active Directory computer account delegated to the SPN you specified in kerberosServicePrincipalName.
2. That SPN registered on the correct service account in AD, and registered only once. Duplicate SPNs cause AADSTS50058 failures that are genuinely hard to trace.
3. The connector server able to reach a domain controller to request Kerberos tickets.

Run setspn -Q HTTP/your-internal-app.contoso.com from the connector server to verify the SPN exists and is unique. If setspn returns multiple accounts, you have a conflict. Clean it up before anything else.

For the delegation side, open Active Directory Users and Computers, find the connector's computer account, go to Properties → Delegation, and confirm it's set to Trust this computer for delegation to specified services only (constrained delegation), with the application's SPN listed. Protocol transition (Use any authentication protocol) is required if your users authenticate via forms-based login before the connector attempts Kerberos, which is the common scenario with aadPreAuthentication.

Using $select to Optimize Graph API Queries

When you query the connectors endpoint at scale, say, in a script that audits all connectors across a large tenant, the default response payload is substantial. Microsoft's own API tip surfaces this: use $select to specify only the properties you need. For connector health checks, ?$select=id,machineName,externalIp,status reduces payload size significantly and improves response time. For connector group audits, ?$select=id,name,connectorGroupType,isDefault,region gives you everything without the noise.

The onPremisesPublishing Beta Endpoint Trap

If you're automating App Proxy setup in a CI/CD pipeline and your PATCH calls return 204 but the properties aren't taking effect, double-check that every call touching onPremisesPublishing is going to graph.microsoft.com/beta, not graph.microsoft.com/v1.0. The v1.0 endpoint accepts the PATCH body without error but ignores any unknown properties, including the entire onPremisesPublishing block. This is a known developer experience issue that Microsoft has not resolved as of April 2026.

Conditional Access and MFA with Application Proxy

Conditional Access policies apply at the Entra pre-authentication layer when externalAuthenticationType is aadPreAuthentication. This means you can require MFA, compliant device state, specific named locations, or sign-in risk conditions before a user ever touches your internal application. Target the Conditional Access policy at the App Proxy application's service principal, not at "All cloud apps," to scope it precisely.

One trap: if your Conditional Access policy requires a compliant device and your users are on personal devices, they'll hit a block page at the proxy layer. The error will look like an application authentication failure, not a Conditional Access block, because the proxy redirects to an Entra error page before the user sees any app content. Use the Entra sign-in logs under Monitoring → Sign-in logs and filter by the application name to see the Conditional Access evaluation result. The "Conditional Access" tab on each log entry shows exactly which policies evaluated and what the outcome was.

Prevention & Best Practices for Application Proxy Deployments

Getting the initial setup right is only part of the job. A well-run Microsoft Entra Application Proxy deployment stays healthy through consistent operational practices, not just a one-time configuration pass.

Use dedicated connector groups per application boundary. Don't throw every app into the default connector group. Segment by geography (connector servers near the app they serve), by business unit, or by security tier. This isolation means a connector issue in one group doesn't affect unrelated apps, and it makes troubleshooting dramatically faster. The connector group's region property (returned as eur, aus, asia, ind, or nam in the API) should match the Azure region closest to your connector servers to minimize latency.

Deploy connectors in pairs. A single connector per group is a single point of failure. The Application Proxy service load-balances across all active connectors in a group, so two connectors means zero downtime during Windows patching. Keep connectors up to date, the auto-update feature is enabled by default and should stay that way. Outdated connectors stop working when the backend service advances its protocol version.

Document every Kerberos SPN before you deploy. Maintain a spreadsheet or wiki page that maps each App Proxy application to its SPN, the AD service account the SPN is registered to, and the connector computer account that has delegation permission. Kerberos SPN conflicts are almost impossible to debug without this documentation, especially after staff turnover. Run setspn -L {serviceaccount} quarterly to catch drift.

Test Conditional Access policies in report-only mode first. Before enabling an MFA or device compliance requirement on a newly published App Proxy app, switch the Conditional Access policy to Report-only mode for one week. Review the sign-in logs to see how many users would have been blocked. This catches edge cases, service accounts, shared workstations, break-glass scenarios, without impacting real users.

Clean up resources promptly. When decommissioning an App Proxy application, delete in reverse order: remove user assignments, delete the application (which also removes the service principal), then delete the connector group if it's no longer in use. Orphaned connector groups and service principals accumulate and create confusion in future audits. The Graph API DELETE calls for application cleanup return 204 No Content on success.

Frequently Asked Questions