I ran into an interesting challenge recently. When using ADAL or MSAL, if you have web api’s on prem that you need to protect with AzureAD, your web server will need to make an outbound call to AzureAD to verify authentication.
Frequently these outbound calls are blocked (firewalls). And Microsoft has put up (laugable) guidance on this matter. Basically they ask you to create 50+ wildcard exceptions or 500ish whitelisted IP addresses. Enough to give any IT security admin the heejeebiees.
One decent workaround however is for this server to route all it’s traffic through a proxy. That way, that one server is able to “get out” to AzureAD, without affecting firewall rules.
In order to do so, just place the below in your web.config of your WebAPI.
2: <defaultProxy enabled="true">
3: <proxy scriptLocation="http://addressofyourproxyscript.pac" />