While many organizations rely on Azure App Proxy to provide secure remote access to their on-premises applications, security researchers have uncovered a critical vulnerability that’s turning this solution into a potential nightmare. The culprit? A seemingly innocent configuration option called “Passthrough” pre-authentication that fundamentally nullifies Azure AD’s security controls.
Microsoft designed Azure App Proxy to eliminate the need for VPN connections or DMZ infrastructure. Great idea, in theory. The service creates outbound connections instead of requiring inbound firewall rules, supposedly making things more secure. But there’s a catch—and it’s a big one.
When IT admins configure an application with Passthrough authentication instead of Azure AD, they’re basically hanging a “come and get it” sign on their network. This setting bypasses all the good stuff: multi-factor authentication, conditional access policies, the works. Security researchers discovered this vulnerability in 2025, and hackers wasted no time exploiting it.
The attack is dead simple. Find a published app URL, hit it with credential stuffing or password spraying, and you’re in. No MFA to deal with. No fancy conditional access roadblocks. Just direct authentication against on-premises Active Directory. Success means access to the internal network. Game over.
Once attackers breach the perimeter, they can move laterally through corporate networks, compromise privileged accounts, and steal sensitive data. Not exactly what you want from your “security” solution.
Organizations using hybrid identity models are particularly vulnerable. The severity largely depends on how well they monitor their on-premises environment. Spoiler alert: most don’t do it well enough.
The fix isn’t complicated. Review App Proxy configurations. Disable Passthrough authentication wherever possible. Use Azure AD pre-authentication with strong MFA policies. Implement least-privilege access for app assignments. Additionally, checking for TLS configuration mismatches between clients and servers can prevent connection vulnerabilities that hackers might exploit. Proper implementation should include connector groups with at least two connectors per application to maintain high availability during potential attacks. Implementing a defense in depth approach is crucial for maintaining multiple layers of protection against these sophisticated attacks.
Security is only as strong as its weakest link. And right now, for many organizations, that link is sitting in their Azure portal, quietly exposing their kingdom to the internet.
