Monitoring with PowerShell: Monitoring Azure App Proxies

Sometime back I made a youtube video about how to use Azure App Proxy. This was received really good in a lot of the communities I frequent but a worry popped up by someone recently; how am I sure that the Azure Application Proxy is always completely functional at my clients? You can monitor the service of course, but that does not mean that the entire connection to Azure is functional.

So, I’ve decided to share our monitoring script for Azure Application Proxy. you can use the Secure Application Model for this. One important note is that the Application Proxy needs to be enabled in the tenant, otherwise you’ll get a 401 or 403 error.

The Script

######### Secrets #########
$ApplicationId = 'AppID'
$ApplicationSecret = 'AppSecret'  | ConvertTo-SecureString -Force -AsPlainText
$RefreshToken = 'RefreshToken'
######### Secrets #########
write-host "Creating credentials and tokens." -ForegroundColor Green
  
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, $ApplicationSecret)
$aadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal
 
write-host "Connecting to Office365 to get all tenants." -ForegroundColor Green
Connect-MsolService -AdGraphAccessToken $aadGraphToken.AccessToken -MsGraphAccessToken $graphToken.AccessToken
$customers = Get-MsolPartnerContract -All
$AppProxies = foreach ($Customer in $Customers) {
  
    $CustGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes "https://graph.microsoft.com/.default" -ServicePrincipal -Tenant $tenantid
    $headers = @{ "Authorization" = "Bearer $($CustGraphToken.accesstoken)" }
    write-host "Looking for changed applications for $($customer.DefaultDomainName)" -ForegroundColor Green
    $ApplicationsURI = "https://graph.microsoft.com/beta/onPremisesPublishingProfiles/applicationProxy/connectors"
    (Invoke-RestMethod -Uri $ApplicationsURI -Headers $Headers -Method Get -ContentType "application/json").value

}

if($AppProxies| Where-Object $_.status -ne "Active"){ 
    write-host "One of the application proxies is not active. See results"
    $AppProxies

}

And that’s it! as always, Happy PowerShelling!

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.