Entra Application Proxy abuse: a quiet tunnel into your network
An attacker who can publish through Application Proxy exposes an internal app to the internet over an on-prem connector, a durable inbound foothold with no VPN.
Application Proxy exists to publish internal apps to the internet without a VPN. In the wrong hands it publishes a tunnel straight into your network.
How the attack works
An attacker with sufficient rights publishes a new application through Entra Application Proxy pointing at an internal URL, then binds it to an on-prem connector group so inbound traffic is brokered into the network. Pre-authentication is weakened to passthrough, or a permissive assignment is added, so the external endpoint reaches the internal app with minimal challenge. Because the connector sits inside the network and dials out, this is a durable, reverse-tunnel-like foothold that does not depend on any one password. The Entra audit log records the publishing and connector-group events. In ATT&CK terms this is T1133, External Remote Services, used for persistence.
Why it works
App Proxy legitimately exposes internal apps, so a rogue publication blends in. Broad publishing or application-administration rights, combined with no inventory or alerting on App Proxy changes, let an attacker stand up an inbound path that survives credential resets. The root cause is over-broad publishing rights and unmonitored configuration.
How to fix it
The non-obvious move is that the path lives in the publication and the connector binding, not in a credential, and the outbound connector model means a perimeter firewall block does nothing. Remove the rogue published application and its connector-group binding, restore pre-authentication, and scope who can publish. Scope who reached the internal resource by correlating the App Proxy sign-in logs with the connector logs across the exposure window. Then inventory all published apps and connector groups against owners, restrict publishing rights, require pre-auth, and alert on publishing and connector changes.
Practice it
We built this as a GraphLattice Range scenario so administrators can find the unexplained publication, close the inbound path, and lock down who can publish via App Proxy.