Share via

Azure application gateway authentication integration with Entra ID

Atanas Georgiev 0 Reputation points
2025-07-30T10:16:47.2166667+00:00

Hello, I want to integrate Azure Application Gateway to authenticate with Entra ID on the gateway. I don't want to use the EntraID auth on the backend or AD application proxy. Complete deployment is on Azure, I have a private subnet with a Linux VM in it, it runs container, exposed on VM port. The Gateway has this as backend and health checks are working. I have public IP on the Gateway, accepting incoming traffic and routing to the app. App could read header from token, generated by Entra ID. I want to integrate gateway to act as a proxy, so authentication happens on the Gateway, without additional resources. The it passes the Entra ID token down to the app. I found, that this may be a preview feature, but I can't find it in the preview features list. Please help with any ideas?

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator
    2025-07-30T22:06:03.4133333+00:00

    Hello Atanas Georgiev

    We understand that you're trying to set up Azure Application Gateway to authenticate users with Microsoft Entra ID directly, without involving any backend resources for authentication.

    We suggest using Azure Application Gateway in front of an Azure App Service that uses Azure Active Directory (Entra ID) authentication, but there are a few important considerations and configurations to ensure it works properly:

    1.App Service is configured with Azure AD authentication (via the Authentication/Authorization blade).

    2.Application Gateway acts as a reverse proxy with a public IP, forwarding traffic to the App Service.

    3.Users are redirected to Azure AD login by the App Service, not the gateway.

    • After login, the App Service validates the token and serves the app. Enable Azure AD authentication in the App Service. and configure the redirect URI to match the App Gateway's public domain
    1. Custom Domain & SSL:
      • Bind a custom domain to both the App Gateway and App Service.
      • Ensure SSL termination is handled properly either terminate SSL at the gateway and forward HTTP to App Service or use end-to-end SSL with a certificate on both ends.
    2. Rewrite Host Header:
      • Use rewrite rules in Application Gateway to set the Host header to match the App Service domain. This is critical for Azure AD to validate the redirect URI correctly.
    3. Configure health probes to target a non-authenticated endpoint (e.g., /health) to avoid 302 redirects to login.
    4. For more information, please refer this article: https://techcommunity.microsoft.com/blog/appsonazureblog/setting-up-application-gateway-with-an-app-service-that-uses-azure-active-direct/392490 https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad?tabs=workforce-configuration

    Hope this helps you get that resource deleted! If these answers your query, do click the "Upvote" and click " of which might be beneficial to other community members reading this thread.

    If the above is unclear or you are unsure about something, please add a comment below.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.