To provide remote access to your on-premises web app (App1) using Microsoft Entra Application Proxy, the first step is: Install Microsoft Entra Connect.

 Why?

Microsoft Entra Connect synchronizes your on-premises Active Directory users/groups to Microsoft Entra ID.

Application Proxy requires user identities in Entra ID to authenticate and authorize access.

Without syncing on-premises identities, Entra ID has no users to grant access to App1.

Subsequent steps (after installing Entra Connect):

Install the Application Proxy Connector on an on-premises server (downloadable from Entra ID).

Publish App1 in Entra ID (configure the app's internal/external URLs, SSO, etc.).

Optional: Add named locations or configure conditional access policies for security.