According to this article below the the app makes the call out to the Azure AD, which in turn s begins the conversation. So I would think that it would need a way to reach the Splunk search head from "outside". If this is correct assumption then it will need to either be natted or routed to the internal address where the search head lives. Correct?
https://msdn.microsoft.com/EN-US/library/office/dn707383.aspx
... View more