Q. What rules need to be enabled to allow Azure AD Application Proxy communication through Network Security Groups?

Q. I wish to integrate with Azure AD Application Proxy from within Azure IaaS that uses Network Security Groups. What rules need to be enabled to allow the communication through Network Security Groups?

A. Azure AD Application Proxy (AAD App Proxy) enables applications hosted typically on-premises to be published through the Azure services. This is possible through an agent that is installed on-premises and creates an outbound connection to Azure through which the applications can be published. Another way of using this is to actually publish applications hosted in Azure IaaS VMs through AAD App Proxy. If you are leveraging Network Security Groups to restrict traffic, then you need to ensure the required rules are in place to enable AAD App Proxy to communicate to the VMs.

The specific ports required outbound are documented, which means the NSG will need rules allowing these outbound ports. Typically these ports would be enabled to all destinations, since trying to lock them down to the specific IPs used by Azure would be very problematic.

If you do need to lock down the IPs, you would need to cover all the IP ranges defined, however note these do change over time which would mean keeping the rules up-to-date as the ranges change.