Password vaulting for single sign-on with application proxy

Microsoft Entra application proxy helps you improve productivity by publishing on-premises applications so that remote employees can securely access them. In the Microsoft Entra admin center, you can also set up single sign-on (SSO) to these apps. Your users only need to authenticate with Microsoft Entra ID, and they can access your enterprise application without having to sign in again.

Application proxy supports several single sign-on modes. Password-based sign-on is intended for applications that use a username and password combination for authentication. Microsoft Entra ID stores the sign-in information and automatically provides it to the application when your users access it remotely.

Prerequisites

This article requires that an app is published and tested with application proxy. To learn more, see Publish applications using Microsoft Entra application proxy.

Set up password vaulting for your application

  1. Sign in to the Microsoft Entra admin center as at least a Application Administrator.

  2. Browse to Identity > Applications > Enterprise applications > All applications.

  3. From the list, select the app that you want to set up with SSO.

  4. Select application proxy.

  5. Change the Pre Authentication type to Passthrough and select Save. Later you can switch back to Microsoft Entra ID type again.

  6. Select Single sign-on.

    Select Single sign-on from the app's overview page

  7. For the SSO mode, choose Password-based Sign-on.

  8. For the Sign-on URL, enter the URL for the page where users enter their username and password to sign in to your app outside of the corporate network. The page could be the External URL that you created when you published the app through application proxy.

    Choose password-based Sign-on and enter your URL

  9. Select Save.

  10. Select application proxy.

  11. Change the Pre Authentication type to Microsoft Entra ID and select Save.

  12. Select Users and Groups.

  13. Assign users to the application, select Add user.

  14. If you want to predefine credentials for a user, check the box in front of the user name and select Update credentials.

  15. Browse to Identity > Applications > App registrations > All applications.

  16. From the list, select the app that you configured with Password SSO.

  17. Select Branding.

  18. Update the Home page URL with the Sign on URL from the password SSO page and select Save.

Test your app

Go to the My Apps portal. Sign in with your credentials (or the credentials for a test account that you set up with access). Once signed in successfully, select the icon of the app. Opening the My Apps portal might trigger the installation of the My Apps Secure Sign-in browser extension. If credentials are predefined, the authentication to the app should happen automatically, otherwise you must specify the user name or password for the first time.

Next steps