Application Proxies allow access to on-prem web applications after sign-in to Entra ID. They have the following components:
Endpoint; external URL that the users browse to access the on-prem application. External users must authenticate to AAD
Application proxy service. This service runs in the cloud and passes the token provided by Entra ID to the on-prem connector
Application Proxy Connector - Agent that runs on the on-prem infra and acts as a communication agent between the cloud proxy service and on-prem app.
Enumerate Application Proxies
. .\Get-MgApplicationProxyApplication.ps1
[+] Access token retrieved successfully.
Retrieving applications from Microsoft Graph...
[+] Successfully retrieved applications.
Application Proxy used by application: 'Finance Management System'
External URL: https://fms-defcorphq.msappproxy.net/
Internal URL: http://deffin-appproxy/
External Authentication Type: aadPreAuthentication
Script:
Get-MgApplicationProxyApplication.ps1
# This script is a part of Attacking and Defending Azure - Beginner's Edition course by Altered Security
# https://www.alteredsecurity.com/azureadlab
$token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com/").Token
if (-not $token) {
Write-Host "[+] Failed to retrieve access token." -ForegroundColor Red
exit
} else {
Write-Host "[+] Access token retrieved successfully." -ForegroundColor Green
}
$applicationsUrl = "https://graph.microsoft.com/beta/applications"
Write-Host "Retrieving applications from Microsoft Graph..." -ForegroundColor Cyan
$applications = Invoke-RestMethod -Uri $applicationsUrl -Headers @{ Authorization = "Bearer $token" }
if (-not $applications) {
Write-Host "[-] No applications found or failed to retrieve applications." -ForegroundColor Red
exit
} else {
Write-Host "[+] Successfully retrieved applications." -ForegroundColor Green
}
foreach ($application in $applications.value) {
$objectId = $application.id
$displayName = $application.displayName
try {
$proxyUrl = "$applicationsUrl/$objectId/onPremisesPublishing"
$proxyDetail = Invoke-RestMethod -Uri $proxyUrl -Method Get -Headers @{ Authorization = "Bearer $token" }
if ($proxyDetail) {
Write-Host ""
Write-Host "Application Proxy used by application: '$displayName'" -ForegroundColor White
Write-Host "External URL: $($proxyDetail.externalUrl)" -ForegroundColor White
Write-Host "Internal URL: $($proxyDetail.internalUrl)" -ForegroundColor White
Write-Host "External Authentication Type: $($proxyDetail.externalAuthenticationType)" -ForegroundColor White
} else {
}
} catch {
}
}
Vulnerabilities
Most applications behind a proxy are most-likely old or important applications. Web vulnerabilities do not magically go away, so if there is such a vulnerability in the web-app, it may be exploited.