Forum Discussion

IrvanR's avatar
IrvanR
Brass Contributor
May 16, 2025
Solved

Access On Premise Apps Using Entra Identity

I plan to switch to using Microsoft 365 using a new domain from my on-premise email. There are several on-premise applications that are accessed using on-premise identity with the old domain. For on...
Active Directory
microsoft entra
SSO
  • MRSrun's avatar
    MRSrun
    May 18, 2025

    Yes, you can still access your on-premise applications using Microsoft Entra ID, even after switching to Microsoft 365 with a new domain. Here are a few ways to make it work:

    • Entra Application Proxy
      This lets you publish on-prem apps to the internet securely. Users sign in with Entra ID, and you can set up single sign-on (SSO) if needed.
    • Hybrid Identity with Entra Connect
      If you sync your on-prem AD to Entra ID (using tools like Entra Connect), users can keep using their old credentials, and apps continue to work. Even if your primary email domain changes, you can still keep the old domain in the background for compatibility.
    • Keep the Old Domain in AD
      As long as the old domain still exists in your local AD and is synced or trusted, users can still access apps tied to it. You can add both domains to Entra ID if needed.

    In short, as long as the identity behind the apps is still valid (even if the domain changed), and you set up syncing or a proxy, your access should work.

IrvanR's avatar
IrvanR
Brass Contributor
May 20, 2025

Hi MRSrun​ 

For the old domain, for one reason or another I cannot add it to Entra ID, so the user account in Entra uses the new domain. Therefore, I cannot synchronize the user identity.

If so, can I use the Entra Application Proxy method to accommodate user access with Entra identity (new domain) to the on-premise application (old domain)?

MRSrun's avatar
MRSrun
Copper Contributor
May 21, 2025

You can use Entra Application Proxy to enable users with Entra ID credentials (email address removed for privacy reasons) to access on-premises apps tied to the old domain (olddomain.local), even without identity synchronization. The key is to configure user mapping and KCD correctly. If your apps require LDAP or complex authentication, consider Entra Domain Services or a third-party identity provider, but Application Proxy is likely sufficient. As long as we talking about webapps, when we talk about legacy apps it´s more complicated and it makes sense to have a Name of the application you´d like to use. With out this knowlege it is like searching in the dark.

Resources