Application Proxies

Enumerate

# list all application proxies (can take some time)
Get-AzureADApplication | %{try{Get-AzureADApplicationProxyApplication -ObjectId $_.ObjectID;$_.DisplayName;$_.ObjectID}catch{}}
 
# get the service principal for the finance management system
Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -eq "Finance Management System"}
 
# get users that are allowed to access the application
. C:\AzAD\Tools\Get-ApplicationProxyAssignedUsersAndGroups.ps1
Get-ApplicationProxyAssignedUsersAndGroups -ObjectId ec350d24-e4e4-4033-ad3f-bf60395f0362

Now we can just go to the exposed public URL, log-in with an accepted user and then try to find any web-vulnerability to further progress.