How to install the Application Proxy Connector and publish an on-premise web application or website in Microsoft Azure

In Microsoft Azure Active Directory you can publish web based (SaaS) applications and websites in a few different ways. The easiest way is via the Azure App Gallery, in that case you have added the application in just a few steps. If the application is not available in the Azure App Gallery you can add it manually. When adding the application manually you can either add cloud hosted web apps and websites or on-premise hosted web apps and websites.

The additional advantage of publishing on-premise web apps / website is that in many cases it is a good alternative for per-app-VPN connections from mobile devices. That’s why I want to show you how to publish an internal website (intranet) in this blog.

My demo environment

In my demo environment I have installed a new Windows 2016 server (EMS01.cec.local) with IIS configured. I created a simple website which serves as an intranet page for this demo 😊

As you can see the URL for this intranet page is; https://ems01.cec.local.

Installing the Application Proxy

Before you can publish internal websites / apps the Application Proxy needs to be installed on a local server that has access to the web app. Login to the Azure Portal to download the installation file.

Navigate to: Azure Active Directory > Enterprise Applications > Application proxy

Click on Download a connector

Click on Accept terms & Download

Run the installer and check I agree to the license terms and conditions (if you do) and click Install

Login with an Azure Global Administrator. After login, the Application Proxy will be register with your Azure tenant.

Click Close

Go back to the Application proxy page. As you can see the Application Proxy server is displayed as Connector with the status Active. Click on Configure an app to publish the first on-premise web app or site.

Fill in the following information;

Name: The name of the published on-premise web app or site (in my case Intranet)
Internal Url : In my case https://ems01.cec.local (this is the server where the on-premise web app or site is hosted)
External Url : Here you can configure the external URL, by default this ends with, but you can change this to your own external website (you have to configure additional DNS records in that case).

You also can configure the Pre Authentication method and the Connector Group (if you have multiple Application Proxy servers configured in a HA group).

Click the Add button to publish this application to Azure AD.

The final step is to assign this web application or site to a group of users. Therefor open the Users and groups tab and click Add user

Click Users and groups and select the user or group you want to assign this web app or site to. Click Select and Assign.

Optionally you can change the icon, and if it’s a web application, you can also configure the user provisioning, self-service and Single sign-in (SSO).

Test the results

Lets test the results. I will test it on a Windows 10 device outside the network that has no direct access to the server that host the Intranet website.

Open the Microsoft MyApps portal.

The “Intranet” is displayed between the applications.

As you can see, the internal Intranet website is displayed from a address outside the network.


  • Hi,
    Thank you for sharing this, it is really helpful and well described.
    I have one question, please. if I have more than 10 internal websites, do I need to install the connector on each web server or it is enough to have one stand-alone server with connector installed and use this server as a proxy to other websites.

    Thank you

  • Hi Carl, I have followed the above article but when testing from a web browser and managed browser outside of network i am getting below error message. Can you suggest where the error could be.

    This site can’t be reached’s server IP address could not be found.

  • Hi ,

    I ‘ve 10 onpremise applications.
    Do i need to install connector for each application or i can install one connector in one webserver. Please help.
    Or can i install one connector in different machine?

    • One connector is minimum as long as this connector has full access to every on-premise application (two connectors are recommended for High Availability).

About Robin Hobo

I am a Technology Specialist working for Microsoft with focus on the Modern Workplace. I am specialized in Microsoft Intune, Azure Virtual Desktop (AVD), Windows 365, Windows 11 and Azure AD. Also interested in mental health, NLP and personal development.

For more information, see the About Me page or my LinkedIn profile.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.