.. _azure_proxy:

======================================
Microsoft Entra Application Proxy
======================================

This section documents how to publish a Peek deployment through Microsoft Entra
Application Proxy so that the Peek field app (iOS and browser) authenticates via
Entra ID before reaching the internal Twisted backend.

Architecture::

    iOS App / Browser
        |  HTTPS / WSS (Authorization: Bearer <token>)
        v
    Microsoft Entra Application Proxy  (Azure cloud)
        -> validates bearer token with Entra ID
        -> injects X-MS-CLIENT-PRINCIPAL header
        |
        v
    AADApplicationProxyConnector  (Windows VM in DMZ)
        |  internal HTTPS / WSS
        v
    Peek Linux server (Angular PWA + Twisted backend)

.. toctree::
    :maxdepth: 2
    :caption: Contents:

    AzureProxySetup
    WindowsVmSetup
    IosFieldAppSettings