You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/identity/app-proxy/application-proxy-faq.yml
+11-12Lines changed: 11 additions & 12 deletions
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ metadata:
6
6
ms.service: entra-id
7
7
ms.subservice: app-proxy
8
8
ms.topic: faq
9
-
ms.date: 02/21/2025
9
+
ms.date: 12/29/2025
10
10
ms.author: kenwith
11
11
ms.reviewer: ashishj
12
12
ai-usage: ai-assisted
@@ -23,10 +23,19 @@ sections:
23
23
answer: |
24
24
No, the following configuration items are being used by app proxy and shouldn't be altered or deleted:
25
25
- Enable/Disable “Allow public clients flows”.
26
-
- CWAP_AuthSecret (Client secrets).
26
+
- Federated credentials.
27
27
- API Permissions.
28
28
Modifying any of the above configuration items on the App registration page breaks preauthentication for Microsoft Entra application proxy.
29
29
30
+
- question: |
31
+
An application proxy app's client secret (CWAP_AuthSecret) is nearing expiry or has already expired. What should I do?
32
+
answer: |
33
+
Application Proxy apps no longer rely on CWAP secrets. For apps using Entra ID pre-authentication, Federated Identity Credentials (FIC) are now used instead. FIC is more secure, do not expire, and require significantly less maintenance.
34
+
Applications configured with Passthrough pre-authentication or those using Access Tokens do not require Federated Identity Credentials — even if an FIC was previously created.
35
+
36
+
You can safely ignore any existing CWAP secrets in the app registration of your Application Proxy app and/or clean-up old or expired secrets.
37
+
For more information about Federated Identity Credentials, see [Overview of federated identity credentials in Microsoft Entra ID](/graph/api/resources/federatedidentitycredentials-overview).
38
+
30
39
- question: |
31
40
Can I delete an application proxy app from the App registrations page in the Microsoft Entra admin center?
32
41
answer: |
@@ -103,16 +112,6 @@ sections:
103
112
answer: |
104
113
No, this is currently not supported.
105
114
106
-
- question: |
107
-
What happens if I delete CWAP_AuthSecret (the client secret) in the app registration?
108
-
answer: |
109
-
The client secret, also called *CWAP_AuthSecret*, is automatically added to the application object (app registration) when the Microsoft Entra application proxy app is created.
110
-
111
-
The client secret is valid for one year. A new one-year client secret is automatically created before the current valid client secret expires. Three CWAP_AuthSecret client secrets are kept in the application object always.
112
-
113
-
> [!IMPORTANT]
114
-
> Deleting CWAP_AuthSecret breaks preauthentication for Microsoft Entra application proxy. Don't delete CWAP_AuthSecret.
115
-
116
115
- question: |
117
116
I'm using or want to use Microsoft Entra application proxy. Can I replace the "onmicrosoft.com" fallback domain of my tenant in Microsoft 365 as suggested in the article "Add and replace your onmicrosoft.com fallback domain in Microsoft 365"?
![learn-build-service-prod[bot]](https://avatars.githubusercontent.com/in/237442?v=4&size=40){kind=avatar}
0 commit comments