Azure App Proxy–How to Fix Login.aspx and Missing File Issues

 

If you are among the awesome many who have begun providing secure access to your internal apps using Microsoft’s Azure App Proxy (Part of Enterprise Mobility & Security / EMS / Azure AD Premium), you may have run into scenarios where the URLs don’t work quite like you need them.

If your app requires pointing to a specific page, or references files in parent directories to where the login is located, you may have been left stumped as to how to make it work. In possibly the most under the radar release I’ve seen, Microsoft added new features to solve the issue, but it isn’t in the GUI. Documentation is spotty at best, so Microsoft Mercenary has your back with the following PowerShell script.

Example scenario: Microsoft Identity Manager (MIM) Portal

URL on Prem: https://mim.lab.microsoftmercenary.com:1111/IdentityManagement/default.aspx

If you put in the URL https://mim.lab.microsoftmercenary.com:1111/IdentityManagement/ login will work, but you’ll still get a wonky experience (that’s a highly technical term).

image

Why does it do this? The files that are not under the targeted URL, in this case /identitymanagement/ folder cannot be linked to due to App Proxy’s security mechanism that prevents users from browsing outside of their intended app.

How do we fix it? Link a directory higher and assign a custom landing URL. It has side effects, but it’ll resolve the issue.

First, change your app URL, in this case it would be https://mim.lab.microsoftmercenary.com:1111/

Make sure you have all logos and customizations like external URL finalized – we’ll get to why in a moment.

Now, copy the following into a .ps1 file and run the following PowerShell script in PowerShell x64 as Administrator. Admin is only required if you do not have AzureAD PowerShell module already installed.

 

If prompted to install NuGet, go ahead

image

image

 

If prompted to install AzureAD Module, click Yes

image

image

If you do not want to run as admin or auto install PowerShell modules, you can install Azure AD PowerShell Module it manually.

 

Login when prompted

image

 

Enter part of the URL to search your tenant (provides a shorter list)

PS C:\WINDOWS\system32> E:\SetCustomAppProxyHomepage.ps1
Search: Please enter part of the Apps existing homepage for the app you wish to modify.: mimportal

Details of the matches will be displayed. Copy the GUID of the one you wish to use and paste it into the prompt.

Example: b220c0d6-7beb-4a08-8cea-232a170eb06c

Next, enter the updated EXTERNAL url that you wish to use, including the extra directory and page if needed. If you need, refer to your application’s “External URL” to figure out what to append here.

Done. Review the information to ensure it looks correct. Log into https://myapps.microsoft.com and test your app. As you can see below, it fixed our app:

image

Important note about changing an app with a custom URL: Since the GUI doesn’t have this functionality, if you modify your app in any way, this fix will be overwritten. It appears you can change users fine, but you cannot change the external URLs, or other fields on that Configuration page without having to re-run this script. This should be fixed with a later release.

Common Issues:

PowerShell shows errors: You MUST use PowerShell x64. To install NuGet or AzureAD Module, you MUST run as admin.

It didn’t find my Azure AD App: Use part of the external URL that is listed in the App’s page.

It was working great, then I made a change. Now it’s broken: Microsoft hasn’t updated their GUI to support this, so if you open the app and save any changes, it will revert the URL to whatever is in the box at the time. You will need to re-run this script every time the app is modified – or at least until this functionality is put into the GUI.