We have recently added two new capabilities to Azure Active Directory that apply also for proxy applications:

More conditional access options

Conditional access to application means that you can apply application specific policies that are evaluated each time a user is trying to access the application. In this release we have added the ability to block access to applications when users are not located at their workplace based on their source IP address. Customers asked for this as they are deploying applications on separated cloud environments and they want to make these applications securely accessible to their employees without exposing them to the Internet. In the past, companies deployed expensive VPN to their cloud environment and had to deploy dedicated filtering solutions.

We keep working on adding more conditions to allow you to set more types of policies.

See more details here: http://blogs.technet.com/b/ad/archive/2015/06/25/azure-ad-conditional-access-preview-update-more-apps-and-blocking-access-for-users-not-at-work.aspx

Self-service access requests

Self service application access allow you to streamline the process of enrolling new users to applications. Instead of users making expensive support calls to your helpdesk, they can now find and request access to applications by themselves using the access panel portal. The approval process can be delegated to people in your organization that owns these applications. This is done without compromising on security and leaving the IT organization under control with full visibility, reporting and auditing of these actions. You can now apply all these capabilities also to on-prem applications and have a fully self-service process in minutes without deploying expensive on-prem tools. This is another benefit that Azure Active Directory can bring to your legacy on-prem applications without changing them.

See more details here: http://blogs.technet.com/b/ad/archive/2015/04/23/employee-self-service-app-access-for-azure-ad-now-in-preview.aspx