Microsoft Application Proxy is a component of Entra ID that enables secure remote access to on-premises web applications. Application Proxy has many notable strengths, particularly its integration with Entra ID, which includes existing Entra ID authentication methods, including multi-factor authentication. However, these authentication methods are not used if you configure an application to use passthrough pre-authentication. Configuring passthrough comes with risks, and in this blog post, I will discuss these risks and how to mitigate them.
Introduction
During a security assessment for a client, I discovered an application configured with passthrough pre-authentication. While Conditional Access policies and various security features were implemented in the cloud environment, this configuration raised concerns about potential authentication attacks on the on-premises environment. Specifically, setting passthrough as pre-authentication bypasses all cloud-based security measures, making it possible for malicious actors to authenticate to the on-premises environment, resulting in a potential threat.
Organizations face significant risks when proper monitoring is not implemented on internal servers or Domain Controllers. Let me explain what an application proxy does first.
Application Proxy
An Application Proxy is a cloud-based reverse proxy component that facilitates secure remote access to web applications hosted within internal networks. The proxy architecture consists of two primary components: the proxy service running in the cloud and the connector service installed on-premises.
The connector service establishes and maintains an outbound connection to the cloud service over port 443, eliminating the need for inbound firewall rules.
When external users attempt to access internal applications, their requests first hit the cloud-based proxy endpoint. The proxy service forwards these requests through the established tunnel to the connector service. The connector retrieves content from the internal application and returns it through the same tunnel. The entire traffic flow remains outbound only from the internal network’s perspective.
This architecture isolates internal applications from direct external access while maintaining seamless user connectivity. No DMZ or edge firewall modifications beyond standard HTTPS outbound access are required.
Note: Application Proxy and Microsoft Entra Private Access share the same infrastructure component: the Microsoft Entra private network connector.
Understanding Application Proxy enables us to explore its potential security risks.
Risks
Configuring an application with an Application Proxy requires three key elements: an internal URL, an external URL, and pre-authentication.
Here is what the pre-authentication looks like in this configuration.
Based on the configured authentication method, the authentication flow directs users to either the internal URL or the Domain Controller. This architecture inadvertently enables malicious actors to perform brute-force or password spray attacks against both local server accounts and Domain User accounts. Without adequate monitoring mechanisms, a successful credential compromise becomes a potential foothold for broader attacks across the organization’s services.
The situation is even more concerning. When organizations use services like Simple Certificate Enrollment Protocol (SCEP) with hybrid-joined devices, there is no straightforward way to set pre-authentication to Entra ID unless the devices are fully Entra ID joined. This leaves certain applications vulnerable to this attack.
Proof of Concept
The following Proof of Concept demonstrates these security risks in detail. The test environment consists of three core components: an application server, a proxy server, and a Domain Controller. Below is the architecture of our test environment.
The initial step requires installing the connector service on the proxy server. The connector is available for download in the Application Proxy section of Entra ID, and its installation process is straightforward.
The application server setup requires Internet Information Services (IIS) with Windows Authentication enabled.
The final step requires configuring Windows Authentication in IIS.
Next, configure the application with Application Proxy using passthrough pre-authentication.
When accessing the external URL, a login prompt appears. The subsequent authentication process reveals critical security considerations.
Let us log in with the username “attacker” and an incorrect password to see what happens.
Now login with the username “domain\attacker” and an incorrect password to see what happens.
While this reflects the intended functionality, organizations must consider whether they have adequate monitoring measures to detect brute-force attempts and password spray attacks when using passthrough authentication.
Here is a script I created to test the authentication using PowerShell.
try {
$username = "domain\user"
$password = ConvertTo-SecureString "WhateverPassword" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($username, $password)
$response = Invoke-WebRequest -Uri "https://external.msappproxy.net/" `
-Credential $cred `
-Authentication None `
-UseBasicParsing `
-Headers @{
"Authorization" = "Basic " + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("$($cred.UserName):$($cred.GetNetworkCredential().Password)"))
"Accept"="*/*"
"User-Agent"="PowerShell Script"
}
Write-Host "Success! Status Code: $($response.StatusCode)"
} catch {
Write-Host "Error occurred:"
Write-Host "Status Code: $($_.Exception.Response.StatusCode.value__)"
Write-Host "Error Message: $($_.Exception.Message)"
}
Discovery
Having identified these risks, let us examine how to determine if your organization uses an Application Proxy with passthrough authentication.
If the private network connector is disabled, Application Proxy is not implemented, eliminating the need for further investigation.
Below is a PowerShell script to check for any application set with “Pre Authentication” set to “Passthrough”, but to do it manually, apply the filter ‘Is App Proxy == Yes’ and review the pre-authentication settings for each application.
Thanks to Loris Ambrozzo, I was able to use the Microsoft Graph API to automatically identify any vulnerable application.
Connect-MgGraph -Scopes "Application.Read.All"
$getAllApplications = (Invoke-MgGraphRequest -Method GET -Uri 'beta/applications/').value
$getAllApplicationsIds = $getAllApplications.id
$passthruApps = @()
foreach ($id in $getAllApplicationsIds) {
try {
$uri = "beta/applications/$id"
$uri += "?`$select=id,appId,displayName,onPremisesPublishing"
$appDetails = Invoke-MgGraphRequest -Method GET -Uri $uri
if ($appDetails.onPremisesPublishing -and $appDetails.onPremisesPublishing.externalAuthenticationType -eq "passthru") {
Write-Host "Found an app set as passthru with Object ID: $id" -ForegroundColor Green
$passthruApps += $appDetails
}
}
catch {
}
}
Write-Host "Total apps with externalAuthenticationType 'passthru': $($passthruApps.Count)" -ForegroundColor CyanMitigation
For applications using passthrough authentication, evaluate the following:
- Existence of adequate monitoring for brute-force and password spray attacks
- Possibility of reconfiguring the application to use Entra ID authentication
- Consider decommissioning the application if no longer required
Conclusion
Application Proxy with passthrough authentication, while providing seamless access to on-premises applications, introduces significant security risks when implemented without proper monitoring controls. The ability to perform authentication attacks directly against internal servers or Domain Controllers, bypassing cloud security measures, makes this configuration particularly concerning.
Organizations should carefully evaluate their Application Proxy implementations, especially those using passthrough authentication. Regular security assessments, robust monitoring of authentication attempts, and consideration of alternative authentication methods are essential steps in maintaining a secure environment. Where possible, organizations should prioritize Entra ID authentication over passthrough authentication to leverage the full spectrum of cloud-based security controls.
Microsoft Security Blog 