Skip to main content

EntraID Application Proxy Configuration

Overview

This article provides step-by-step instructions for configuring Entra Tenant Application Proxy for use with Netwrix Directory Manager. The process includes installing the outbound connector, configuring the application proxy, updating URLs, and managing SSL certificates.

Instructions

Configure Entra Tenant Application Proxy

Entra Tenant Application Proxy configuration screen with key fields visible

Install Outbound Connector on Directory Manager Machine

Outbound connector installation window on Directory Manager machine

Configure Outbound Proxy

Outbound proxy configuration screen

Additional outbound proxy configuration options

Configure the Application

  1. Click Configure an App.

  2. Provide a suitable name for the application.

  3. Copy the external application URL:

    • Visible URL (as shown in the portal): https://GroupID10SSP-5l607h.msappproxy.net/GroupID/
    • HREF (link target provided by the portal): https://GroupID10SSP-5l607h.msappproxy.net/Directory Manager/

  4. Add the internal URL in the Application Proxy configuration:

    Application proxy configuration with internal and external URLs

Register the Application and Assign Users

  1. Go to App Registration and open All Applications.

    App Registration screen showing all applications

  2. Assign users to this application.

    Assigning users to the application in App Registration

Create and Upload an SSL Certificate

  1. Create an SSL certificate.

    SSL certificate creation window

    SSL certificate details screen

    SSL certificate management interface

  2. Upload the certificate.

    Upload certificate screen

NOTE: Self-signed certificates will not work. Add a public certificate instead. You can turn off SSL in the application proxy to test the configuration.

Update Portal URLs with External URLs (Application Proxy)

  1. Change the portal URLs to use the external URLs provided by the application proxy.

    Portal URL configuration screen

  2. Verify that the changes are reflected in the svc.client table and web.config file.

    The following web.config changes are required:

    • External URL (visible): https://GroupID10SSP-5l607h.msappproxy.net/GroupID/
    • External URL (HREF/target provided by portal): https://GroupID10SSP-5l607h.msappproxy.net/Directory Manager/

    web.config file showing updated external URL

  3. Edit the Issuer and Realm URLs as needed:

    Issuer and Realm URL configuration screen

  4. Update the svc.client table in the database with the return, error, and realm URLs.

NOTE: Paste all URLs with a forward slash at the end. For example: https://groupid10ssp-5l607h.msappproxy.net/Directory Manager/

svc.client table showing updated URLs