We have an existing SAP BI 4.2 SP05 patch 2 system with WinAD SSO configuration, and have a new requirement for provide (external) access using Azure App Proxy - https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-single-sign-on-with-kcd
When accessing the BI server from the app proxy URL, WinAD SSO fails and the logon prompt is displayed, we can then only log-on manually.
We have added the external URL as an SPN for the service account that BI runs under and the BI service user trusts kerberos delegation for all services.
The Azure app proxy is configured on the root (https://<external-FQDN>/ translates to https:<hostname>:8443/) and we are sending on-premises SAM account name as the delegated logon identity. According the Azure App Proxy link above, the kerberos token from the on-premise AD is sent to the application for authentication.