# Application Proxy
Application Proxies allow access to on-prem web applications after sign-in to Entra ID. They have the following components:
* Endpoint; external URL that the users browse to access the on-prem application. External users must authenticate to AAD
* Application proxy service. This service runs in the cloud and passes the token provided by Entra ID to the on-prem connector
* Application Proxy Connector - Agent that runs on the on-prem infra and acts as a communication agent between the cloud proxy service and on-prem app.
### Enumerate Application Proxies
```powershell
. .\Get-MgApplicationProxyApplication.ps1
[+] Access token retrieved successfully.
Retrieving applications from Microsoft Graph...
[+] Successfully retrieved applications.
Application Proxy used by application: 'Finance Management System'
External URL: https://fms-defcorphq.msappproxy.net/
Internal URL: http://deffin-appproxy/
External Authentication Type: aadPreAuthentication
```
Script:
{% code title="Get-MgApplicationProxyApplication.ps1" lineNumbers="true" %}
```powershell
# This script is a part of Attacking and Defending Azure - Beginner's Edition course by Altered Security
# https://www.alteredsecurity.com/azureadlab
$token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com/").Token
if (-not $token) {
Write-Host "[+] Failed to retrieve access token." -ForegroundColor Red
exit
} else {
Write-Host "[+] Access token retrieved successfully." -ForegroundColor Green
}
$applicationsUrl = "https://graph.microsoft.com/beta/applications"
Write-Host "Retrieving applications from Microsoft Graph..." -ForegroundColor Cyan
$applications = Invoke-RestMethod -Uri $applicationsUrl -Headers @{ Authorization = "Bearer $token" }
if (-not $applications) {
Write-Host "[-] No applications found or failed to retrieve applications." -ForegroundColor Red
exit
} else {
Write-Host "[+] Successfully retrieved applications." -ForegroundColor Green
}
foreach ($application in $applications.value) {
$objectId = $application.id
$displayName = $application.displayName
try {
$proxyUrl = "$applicationsUrl/$objectId/onPremisesPublishing"
$proxyDetail = Invoke-RestMethod -Uri $proxyUrl -Method Get -Headers @{ Authorization = "Bearer $token" }
if ($proxyDetail) {
Write-Host ""
Write-Host "Application Proxy used by application: '$displayName'" -ForegroundColor White
Write-Host "External URL: $($proxyDetail.externalUrl)" -ForegroundColor White
Write-Host "Internal URL: $($proxyDetail.internalUrl)" -ForegroundColor White
Write-Host "External Authentication Type: $($proxyDetail.externalAuthenticationType)" -ForegroundColor White
} else {
}
} catch {
}
}
```
{% endcode %}
### Vulnerabilities
Most applications behind a proxy are most-likely old or important applications. Web vulnerabilities do not magically go away, so if there is such a vulnerability in the web-app, it may be exploited.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://notes.incendium.rocks/pentesting-notes/cloud/azure/lateral-movement/application-proxy.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
