Microsoft Entra ID Application Proxy is a cloud-based reverse-proxy service that publishes on-premises web applications for secure remote access without a traditional VPN. The platform pairs a Microsoft-hosted proxy service with a lightweight on-prem connector that uses outbound-only connections, so no inbound firewall ports need to be opened. By gating every session behind Entra ID authentication and Conditional Access policies, Application Proxy extends single sign-on and identity-based controls to legacy internal apps.
It's main features include:
Publishing on-premises web applications to remote users without deploying a VPN client.
Outbound-only connector agents that avoid opening inbound firewall ports, with connector groups for high availability and load balancing.
Native single sign-on and Conditional Access enforcement through Entra ID, included with P1 and P2 licenses.
If an organization is fully committed to Microsoft and mainly needs to publish on-prem Windows web apps to authenticated remote users, Entra ID Application Proxy is the path of least resistance — it's bundled with Entra ID P1/P2 and requires almost no new infrastructure.
Lead with Pomerium when the requirement is true zero-trust enforcement: continuous per-request authorization, fine-grained context-aware policy, multi-IdP and multi-cloud reach, and broader protocol support — without welding access control to a single identity vendor. Critically, this isn't either/or: Pomerium can use Entra ID as its identity provider, so it layers on top of an existing Microsoft investment rather than replacing it.
One consistent access policy across multiple clouds and on-prem
Heterogeneous or multi-IdP environments
True zero-trust: continuous, per-request authorization
Protecting non-HTTP / TCP services alongside web apps
Self-hosted, air-gapped, or vendor-neutral requirements
Organizations already standardized on Entra ID P1/P2
Publishing legacy on-prem Windows web apps to remote users
Minimal new infrastructure; Microsoft-managed plumbing
Teams that want SSO + Conditional Access at the login boundary
No appetite to operate their own proxy layer
Per-request authorization, not just authenticate-and-hand-off
IdP-agnostic — works with any OIDC/SAML provider
Context-aware policy down to route and method
Broad protocol and environment coverage
Self-hostable; no dependency on one vendor's cloud
Reviewers rate it easier to set up and administer
Near-zero infrastructure — Microsoft runs the service
Outbound-only connector; no inbound firewall ports
Bundled with existing Entra ID P1/P2 licensing
Tight, native integration with the Microsoft stack
Built-in HA and load balancing via connector groups
You operate it — more control means more responsibility
Not bundled into an existing Microsoft license
Requires deliberate deployment/topology decisions
Authorization is coarse — login-time, not per request
Locked to Entra ID; no multi-IdP support
Primarily HTTP/HTTPS web apps
Deep coupling to the Microsoft ecosystem and licensing
Limited reach across non-Microsoft clouds
They aren't mutually exclusive. Pomerium can use Entra ID as its identity provider, so it complements an existing Microsoft investment rather than ripping it out.
"VPN-less access" means different things here. App Proxy gets the right authenticated user to a published web app; Pomerium continuously authorizes every request against contextual policy.
Licensing shapes the decision. App Proxy rides along with Entra ID P1/P2, which can make it look "free" — but that value is tied to staying in the Microsoft ecosystem.
Scope of protection differs. If the estate includes non-HTTP services, multiple clouds, or multiple identity providers, App Proxy's boundaries show quickly.
Operational model is a real trade-off. Microsoft-managed simplicity vs. self-hosted control is the central tension — weigh it against the org's security posture and compliance needs.
Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.