Skip to main content
Solved

Query on Netskope RaaS Access Flow for Microsoft Entra ID

  • February 1, 2026
  • 2 replies
  • 63 views
tahadiwan01
Netskope Partner

Hello Everyone,

I have a few questions regarding  Reverse Proxy as a Service (RaaS) configuration with Microsoft Entra ID.

We have configured Reverse Proxy as a Service (RaaS) with Microsoft Entra ID by following the official Netskope documentation below:

Reference Document:

https://docs.netskope.com/en/reverse-proxy-as-a-service-with-microsoft-entra-id-1

 

Configuration Summary

  • Created an Enterprise Application in Microsoft Entra ID for Reverse Proxy

  • Exchanged all required URLs and certificates between Entra ID and Netskope

  • Configured SAML Reverse Proxy on Netskope and selected “Reverse Proxy as a Service” as the application type

  • Shared the required URLs with the Entra application and completed Reverse Proxy configuration

  • Reverse Proxy redirection is working as expected

  • Created a DLP policy to block upload, download, and post actions for source code

  • DLP policy is enforced successfully when traffic goes through Reverse Proxy for Cloud apps

Observed Behavior

  • From a managed device (with Netskope Client installed):

    • Direct access to Outlook (https://outlook.office.com or https://outlook.com) bypasses Reverse Proxy

    • Accessing Outlook via MyApps → RaaS Application → Outlook routes traffic through Reverse Proxy
      (URL observed: https://outlook.office.com.rproxy.goskope.com)

    • DLP policies are enforced only on the *.rproxy.goskope.com URL

  • From an unmanaged device:

  •  Reverse Proxy works as expected and all configured policies are applied only access via  MyApps → RaaS Application → Cloud apps E.g. Outlook

Questions

1) Reverse Proxy Access Flow

  • Is it expected behavior that users must first access the RaaS application from https://myapps.microsoft.com for Reverse Proxy to be applied?

  • Is Reverse Proxy designed to work only when access is initiated via the RaaS application, and not when users access cloud apps directly?

2) Use of Reverse Proxy on Managed Devices

  • Is it advisable or recommended to access cloud applications through Netskope Reverse Proxy from a managed device that already has the Netskope Client installed?

  • If yes, could you please explain why Reverse Proxy should be used instead of relying only on the Netskope Client for managed devices?

  • If no, please confirm whether the recommended design is:

    • Managed devices → Access cloud apps via Netskope Client

    • Unmanaged / BYOD devices → Access cloud apps via Reverse Proxy (RaaS)

guidance and assistance on this matter would be greatly appreciated.

 

 

Best answer by sshiflett

Good morning ​@tahadiwan01

Item 1:  Reverse Proxy Access Flow

  • Yes it’s expected behavior for the Reverse Proxy as a Service.   There is limited ability to intercept the authentication flows between Microsoft and Entra ID.  Reverse Proxy as a Service is a means to still apply this control. 
  • Yes.  Once your RPaaS flow is configured and working you can evaluate using Conditional Access to restrict access to the cloud apps so unmanaged devices must use the RPaaS apps.  Additionally, you can enable the Vanity URL feature for RPaaS so long as you aren’t using Universal Reverse Proxy.  This provides a link to access the RPaaS directly. 

Item 2:  Use of Reverse Proxy on Managed Devices

  • No.  Managed devices already have the Netskope client or another method to access cloud apps.  Reverse Proxy is generally intended for unmanaged devices.  
  • See above.  
  • Your understanding is correct.  Managed devices should use the client or another method.  Reverse proxy is intended for unmanaged and BYOD access.  The client provides broader coverage for all applications. 

    2 replies

    S
    Netskope Employee
    Forum|alt.badge.img+16
    • sshiflett
    • Netskope Employee
    • Answer
    • February 9, 2026

    Good morning ​@tahadiwan01

    Item 1:  Reverse Proxy Access Flow

    • Yes it’s expected behavior for the Reverse Proxy as a Service.   There is limited ability to intercept the authentication flows between Microsoft and Entra ID.  Reverse Proxy as a Service is a means to still apply this control. 
    • Yes.  Once your RPaaS flow is configured and working you can evaluate using Conditional Access to restrict access to the cloud apps so unmanaged devices must use the RPaaS apps.  Additionally, you can enable the Vanity URL feature for RPaaS so long as you aren’t using Universal Reverse Proxy.  This provides a link to access the RPaaS directly. 

    Item 2:  Use of Reverse Proxy on Managed Devices

    • No.  Managed devices already have the Netskope client or another method to access cloud apps.  Reverse Proxy is generally intended for unmanaged devices.  
    • See above.  
    • Your understanding is correct.  Managed devices should use the client or another method.  Reverse proxy is intended for unmanaged and BYOD access.  The client provides broader coverage for all applications. 
    Sam Shiflett | Netskope Solution Architect - North America
      tahadiwan01
      Netskope Partner
      • tahadiwan01
      • Author
      • Netskope Partner
      • February 10, 2026

      @sshiflett Thank you for your prompt response and clarification. I appreciate your support and the detailed explanation — it really helped me understand. Thank you so Much.

      Badges Winner

      Show all badges

      Not finding what you're looking for?

      Don't be shy and let us know about your challenge.

      Ask your question here!
      Terms & ConditionsCookie settingsAccessibility statement