I am still new to security and still learning the basics so was interested in getting some feedback on two Azure services.
Edit: We are a school and the application's host 4000+ parent and student records including medical records so security is very important. Threats would include disgruntled employees, students, staff and parents as well as outside actors. We are a small team of 3 (one of which is a level 1) but are supporting over 4000+ users so want to maintain a balance between simplicity and security as our resources are slim so hence the move to cloud services and analytics.
The first service we are considering is the Azure AD Application Proxy which reportedly provides secure remote access to on-prem applications. Microsoft doesn't seem to give many details around this service and it's not clear if it's protected by a firewall or is simply a reverse proxy. I understand they offer pre-authentication with Azure AD but again I am not sure if this protects us from SQL injection attacks or what the ramifications are of turning off pre-authentication. Do you think this service alone would offer adequate security?
Link to Microsoft article on the security of the service https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-security
The second option we are looking at is using the Azure Application Gateway (WAF) and a traditional DMZ to protect the app. This gives more control but we lose out on the proxy.
Both applications are web apps (browser) and have SAML SSO with Azure AD and are hosted on VMS in Azure.
