Skip to content

Latest commit

 

History

History
58 lines (39 loc) · 3.96 KB

az-application-proxy.md

File metadata and controls

58 lines (39 loc) · 3.96 KB
Raw

Az - Application Proxy

Support HackTricks and get benefits!

Basic Information

Azure Active Directory's Application Proxy provides secure remote access to on-premises web applications. After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal.

It works like this:

  1. After the user has accessed the application through an endpoint, the user is directed to the Azure AD sign-in page.
  2. After a successful sign-in, Azure AD sends a token to the user's client device.
  3. The client sends the token to the Application Proxy service, which retrieves the user principal name (UPN) and security principal name (SPN) from the token. Application Proxy then sends the request to the Application Proxy connector.
  4. If you have configured single sign-on, the connector performs any additional authentication required on behalf of the user.
  5. The connector sends the request to the on-premises application.
  6. The response is sent through the connector and Application Proxy service to the user.

Enumeration

# Enumerate applications with application proxy configured 
Get-AzureADApplication | %{try{Get-AzureADApplicationProxyApplication -ObjectId $_.ObjectID;$_.DisplayName;$_.ObjectID}catch{}}

# Get applications service principal
Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -eq "Name"}

# Use the following ps1 script from https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/scripts/powershell-display-users-group-of-app
# to find users and groups assigned to the application. Pass the ObjectID of the Service Principal to it
Get-ApplicationProxyAssignedUsersAndGroups -ObjectId <object-id>

References

Support HackTricks and get benefits!