Revolutionize Remote Access with Microsoft Entra Private Access: Say Goodbye to VPNs!

 

For more details about Microsoft Entra Global Secure Access, please visit my blog. Securing the Modern Workforce: Microsoft Entra Global Secure Access and the Future of Network Security

Exploring Microsoft Entra Private Access

Microsoft Entra Private Access is a cutting-edge solution that enables organizations to modernize how users access private applications and internal resources. By allowing administrators to define fully qualified domain names (FQDNs) and IP addresses as private or internal, Microsoft Entra Private Access eliminates the need for traditional VPN solutions for secure remote access.

Key Features and Benefits

• Zero Trust-based Quick Access to IP addresses and FQDNs.
• Per-app access for TCP and UDP applications.
• Seamless traffic acquisition and co-deployment with existing SSE solutions.
• Modernized legacy app authentication with Conditional Access integration.

Seamless Remote Access Without VPN

With Microsoft Entra Private Access, remote workers no longer need VPNs to access internal resources. The Global Secure Access Client seamlessly connects users to the resources they need, ensuring uninterrupted productivity.

Configuration Options for Private Resources

Microsoft Entra Private Access offers two ways to configure private resources:

1. Quick Access: A primary group of FQDNs and IP addresses for broad, secure access.
2. Global Secure Access App: A granular approach to specify a subset of private resources for per-app access.

Zero-Trust Access Model

Built on the principles of Zero Trust, Microsoft Entra Private Access ensures secure access to internal resources using Conditional Access policies. This provides an easy, one-time configuration for administrators while maintaining robust security controls.

Integration with Conditional Access Policies

Apply Conditional Access policies to Quick Access and Private Access apps to enforce security measures like multifactor authentication (MFA), device compliance, or Microsoft Entra hybrid joined devices.

Prerequisites

Before setting up Microsoft Entra Private Access, ensure the following:

1. Administrators must have the Global Secure Access Administrator role.
2. Licensing requirements are met.
3. End-user devices must have the Global Secure Access Client installed.

Configuration Steps

Setting Up Quick Access

Image Source: Microsoft

1. Set up a Microsoft Entra private network connector and connector group.
2. Enable the Private Access traffic forwarding profile.
3. Configure Quick Access for broad access to private resources.
4. Install and configure the Global Secure Access Client on user devices.

After completing these steps, users can securely access private resources through Quick Access.

Configuring Per-App Access

Image Source: Microsoft

1. Set up a private network connector and connector group.
2. Enable the Private Access traffic forwarding profile.
3. Create a private Global Secure Access application.
4. Define private apps for segmented access.
5. Install and configure the Global Secure Access Client on user devices.

Configuring and Testing Entra Private Access

Now, let's configure Microsoft Entra Private Access and test both Quick Access and Per-App Access. Setting up the Private Network Connector, creating a Connector Group, enabling the Private Access Traffic Forwarding Profile, and installing and configuring the Global Secure Access Client on user devices are common steps for both Quick Access and Per-App Access. The primary difference lies in application segmentation and user assignments. Let's dive into the step-by-step process.

Open the Microsoft Entra portal and select Global Secure Access. Navigate to the Dashboard. If this is your first time accessing it, you may be prompted to activate Global Secure Access.

After activation, the Global Secure Access dashboard will appear as shown in the screenshot below. Since there is currently no traffic flowing through the service, most of the dashboard items will remain empty.

1. Set up a private network connector and connector group

To learn more about the Microsoft Entra Private Network Connector, please refer to my blog Microsoft Entra Private Network Connector: A Comprehensive Guide to Secure Internal Access

Sign in to the Microsoft Entra admin center using an Application Administrator or Global Administrator account.

Navigate to Global Secure Access > Connect > Connectors.

Select Download connector service.

Read the Terms of Service. When you're ready, select Accept terms & Download.

Run the Connector Installer File, Follow the wizard instructions to complete the installation of the service. When prompted to register the connector with the Application Proxy Service for your Microsoft Entra tenant, enter your Application Administrator credentials.

You may be prompted to restart the server if required.

You can use the Global Secure Access portal to verify that a newly installed connector has been installed and registered correctly.

Sign in to the Microsoft Entra admin center.

Navigate to Global Secure Access > Connect > Connectors.

On this page, you will see all your connectors and connector groups.

Verify Connector Details:

Creating Connector Groups:

Use private network connector groups to assign specific connectors to specific applications, providing greater control and optimizing your deployments.

Key Features of Connector Groups:

• Assignment and Grouping: Each private network connector is assigned to a connector group. Connectors within the same group function as a unit for high availability and load balancing.
• Default Group: By default, all connectors are placed in a single default group. However, you can create and manage new connector groups in the Microsoft Entra admin center.
• Location-Based Optimization: Connector groups are especially useful when applications are hosted in different locations. By creating groups based on location, applications can use connectors that are physically closer, improving performance and reducing latency.

Best Practices for Large Deployments:

• Avoid assigning applications to the default connector group in large application proxy deployments. This ensures new connectors don’t handle live traffic until explicitly assigned to an active group.
• Use the default group as an idle mode for connectors by moving them back to the group during maintenance, minimizing user impact.

By using connector groups effectively, you can improve control, performance, and the overall reliability of your deployment.

To create and manage connector groups:

1. Go to Global Secure Access > Connect > Connectors.
2. Select New connector group.
   
   
   
3. Provide a name for your new connector group.
4. Use the dropdown menu to select the connectors you want to include in the group.
5. Click Create

In my example, I have deployed a single connector, so I have selected only that one connector.

Connector Group is Create and its Ready for use.

Important: To enable the Private Network Connectors, click on the Enable Private Network Connectors option in the Connectors menu under Global Secure Access.

2. Enable the Private Access traffic forwarding profile

Traffic forwarding profiles in Global Secure Access allow you to apply policies to secure and manage your organization's network traffic. These profiles evaluate network traffic based on the configured traffic forwarding policies, directing it to the appropriate apps and resources.

Traffic Forwarding Overview

Traffic forwarding enables you to determine which types of network traffic are tunneled through Microsoft Entra Private Access and Microsoft Entra Internet Access services. Profiles are configured to specify how traffic is managed.

Traffic Evaluation:

Traffic entering Global Secure Access is evaluated sequentially:

• Microsoft Access Profile
• Private Access Profile
• Internet Access Profile

Any traffic not matching these profiles is not forwarded to Global Secure Access.

Configurable Options in Traffic Forwarding Profiles

For each traffic forwarding profile, you can configure:

1. Target Users: Determine which users will receive the traffic forwarding profile and how they connect to the service.
2. Traffic Rules: Define the type of traffic to forward to the service.
3. Conditional Access: Specify which Conditional Access policies to apply

Private Access Profile

The Private Access Profile is designed to route traffic to your private resources securely:

• Traffic Configuration: Requires specifying the fully qualified domain names (FQDNs) and IP addresses of private apps and resources to be forwarded to the service.
• Global Secure Access Client: Private Access traffic must be tunneled through the Global Secure Access desktop client, enabling remote workers to connect to internal resources without requiring a VPN.
• Security and Control: Microsoft Entra Private Access features allow you to apply Conditional Access policies to manage access to private resources.

Once configured, all settings can be monitored and managed from a centralized location.

Known Limitations

• Client Dependency: Private Access traffic can only be forwarded using the Global Secure Access Client and not from remote networks.
• IP Address Restriction: Tunneling by IP address is supported only for IP ranges outside the local subnet of the end-user device.
• DNS Over HTTPS (DoH): You must disable DNS over HTTPS (Secure DNS) to tunnel traffic based on FQDN rules in the traffic forwarding profile.

How to Enable the Private Access Traffic Forwarding Profile

Sign in: Log in to the Microsoft Entra admin center as a Global Secure Access Administrator.

Navigate: Go to Global Secure Access > Connect > Traffic Forwarding.

Enable Profile: Select the checkbox for the Private Access Profile to enable it.

Enabled profile Status:

User and Group Assignments for Traffic Forwarding Profiles

With Global Secure Access, you can scope the Private Access Profile to specific users and groups. This allows you to control which users and groups are assigned to both the Private Access apps and the traffic forwarding profile.

Assigning Users and Groups to Traffic Forwarding Profiles

• Controlled Rollout: You can assign specific users or groups to a traffic forwarding profile, limiting its scope and ensuring a safe, phased deployment.
• Default Assignments:
• If a traffic forwarding profile is already enabled, it is assigned to all users by default.
• If the profile hasn’t been enabled yet, it will start with zero users assigned when activated.
• Custom Assignments: Use the User and Group Assignments setting to control the rollout of the feature by targeting specific users or groups.

Notes on User Identity and Group Assignments

Consider the following when managing user and group assignments:

1. Traffic Profile Fetching:

• Traffic profiles are fetched based on the Microsoft Entra user logged into the device, not the user logged into the client.
• If no Microsoft Entra user is logged in, the traffic profile is only fetched if it is assigned to all users. For example, logging into the device as a local admin includes you as part of the "all users" group.

2. Simultaneous Logins:

• Multiple users logging into the same device at the same time are not supported.

3. Group-Based Assignments:

• Assignments are supported for Security groups and Microsoft 365 groups with the SecurityEnabled setting set to True.
• Nested Groups: Nested group memberships are not supported. Users must be direct members of the group assigned to the profile.

In our case, we are enabling the assignment for All Users.

Our Private Access Profile is now ready for use. The next steps are to publish the required applications and install the client on the necessary user devices.

3. Configure Quick Access ,Per-App Access for broad access to private resources

With Global Secure Access, you can specify fully qualified domain names (FQDNs), IP addresses, and IP address ranges for private resources to include in traffic routed through Microsoft Entra Private Access. This allows your organization's employees to securely access specified applications and sites.

Known Limitations

• Avoid Overlaps: Ensure there are no overlapping app segments between Quick Access and Per-App Access.
• IP Range Restrictions: Tunneling traffic to Private Access destinations via IP addresses is supported only for IP ranges outside the end-user device's local subnet.
• Client Dependency: Currently, Private Access traffic can only be routed through the Global Secure Access client. Remote networks cannot be assigned to the Private Access traffic forwarding profile.
• NRPT Policy Issues:
• The GSA client creates NRPT policies to route DNS queries for private DNS suffixes through the tunnel. Occasionally, malformed GPOs may prevent NRPT policies from being created.
• Use the script provided Script to identify and resolve such issues. Modify the variables in the script as per your environment.

Option-1 Setting Up Quick Access

Sign In: Log in to the Microsoft Entra admin center with the necessary permissions.

Navigate: Go to Global Secure Access > Applications > Quick Access.

Create a Quick Access App: Enter a name (e.g., "Quick Access").

Select a Connector Group from the dropdown menu.

Add Segment: Select Add Quick Access Application Segment.

Configure Destination: Choose a destination type (FQDN, IP Address, CIDR, or Start-End IP Range). Provide the required details based on the selected type: FQDN: Specify the domain name and ports. Avoid using NetBIOS names (e.g., use contoso.local/app1 instead of contoso/app1).

IP Address: Enter the IPv4 address and associated ports.
CIDR: Define the starting address and subnet mask, e.g., 192.168.2.0/24.
IP Range (Start-End): Enter the start and end IP addresses along with the ports.

Specify Ports and Protocols:

Enter multiple ports separated by commas (e.g., 80, 443) or ranges with hyphens (e.g., 400-500).
Click Apply to save the configuration.
Save Configuration: Click Save to finalize the segment.

In this example, I have added two servers:
A server with an IP address for RDP connection.
Another server with its FQDN for accessing a client-server-based application using a custom port.

Once the settings are saved, the status will be displayed as Success.

Now, we need to assign the Quick Access application to users or groups. You can do this by using the Users and Groups option in the Quick Access menu or by clicking Edit Application Settings, which will direct you to the enterprise application automatically created for your Quick Access configuration.

The user has been successfully added to the application.

Note: The "Visible to users" setting will always display as "No," even if you change it to "Yes."

Enterprise Application for Quick Access Applications shows as below.

The user assignment has been updated. You can validate this from the enterprise application.

Important Notes

• You can add up to 500 application segments to a single Quick Access app.
• Avoid overlapping FQDNs, IP addresses, or IP ranges between Quick Access and Private Access apps to prevent configuration conflicts.

Adding Private DNS Suffixes

Private DNS support in Microsoft Entra Private Access enables you to query internal DNS servers to resolve IP addresses for internal domain names.

Example Scenario

Suppose your internal network uses the IP range 192.168.1.0 -192.168.1.255, and you configure this range in your Quick Access application definition. You want users to access a web application hosted at IP 192.168.1.5 by simply entering https://erp-app in their browser, without needing to configure a fully qualified domain name (FQDN). Using Private DNS, you can set up a corresponding DNS suffix, allowing the Global Secure Access client to route the request correctly.

Additionally, by configuring Kerberos Authentication with Private DNS, you can provide a seamless single sign-on (SSO) experience for Kerberos-enabled resources, connecting to domain controllers securely.

Navigate to the Private DNS tab. Check the box to Enable Private DNS. Click Add DNS Suffix. Enter the desired DNS suffix. Select Add to save the configuration.

Option-2 Per-App Access

Sign in to the Microsoft Entra admin center with the required permissions.
Navigate to Global Secure Access > Applications > Enterprise applications.
Click New application.

Enter a name for the application.
Select a Connector group from the dropdown menu.

The Add application segment process allows you to define the FQDNs and IP addresses to include in the traffic for the Global Secure Access app. You can add these sites during app creation or return later to add or modify them as needed.

Click Save at the bottom of the page to create the app 

The File Server application has been successfully created and is now visible.

Now, if we navigate to Global Secure Access > Enterprise Applications, we can see the Per-App configuration created for the File Server.

Click on the application to open the Enterprise Application Options, where you can assign users and groups to the File Server application. 

We have now successfully assigned our user to this specific File Server application.

4.Installing Global Secure Access Client on windows

Overview

The Global Secure Access Client routes specific traffic profiles through Microsoft Entra Private Access, enabling security features like continuous access evaluation (CAE), device compliance, and MFA. It coexists with other solutions by leveraging a lightweight filter (LWF) driver.

Supported Platforms

• Windows 10 and 11 (64-bit versions)
• Azure Virtual Desktop single-session
• Windows 365

Installation Prerequisites

• Local administrator credentials.
• A managed device joined to the onboarded tenant.(The device must be either Microsoft Entra joined or Microsoft Entra hybrid joined).

Download and Install

Sign in to the Microsoft Entra admin center.

Navigate to Global Secure Access > Connect > Client download.

Download the client and follow the installation steps.

Successfully Installed the Client

You can validate the status of the Global Secure Access Client by checking its icon in the notification area

Right-click on the Global Secure Access (GSA) Client and select Advanced Diagnostics. Here, you can view the Client Health Check Status, Forwarding Profile Status, and collect traffic details as well as advanced logs for troubleshooting

Known Limitations

• Devices must be Microsoft Entra joined or hybrid joined; Microsoft Entra registered devices are not supported.
• Azure Virtual Desktop multi-session is not supported.

Applying Conditional Access Policies

Applying Conditional Access policies to your Microsoft Entra Private Access apps is an effective way to enforce security measures for your internal private resources. You can apply these policies to both Quick Access and Private Access apps directly from Global Secure Access.

Limitations:

• Currently, the Global Secure Access Client is required to acquire Private Access traffic.

To apply Conditional Access policies:

Sign in to the Microsoft Entra admin center as a Conditional Access Administrator.
Navigate to Global Secure Access > Applications > Enterprise Applications.
Select an application and choose Conditional Access from the menu.

Create a new policy and configure conditions, access controls, and user assignments.

In our example, we are enforcing a Multi-Factor Authentication (MFA) and Device Compliance Conditional Access policy for accessing the File Server through Entra Private Access.

Similarly, we can configure a Conditional Access policy for our Quick Access application as well.

Excluding Accounts from Policies

• Exclude the following accounts from Conditional Access policies:
• Emergency access or break-glass accounts.
• Service accounts and service principals.

Private Access End User Experience 

Quick Access

We are now attempting to access the RDP of a server that was published using Quick Access App in Entra Private Access. In this example, the user is working on an Entra-joined device located outside the corporate network and has signed in to the device using their user ID and password.

Server Private IP Address is 172.20.0.52

The screenshot below displays the device's Entra Join Status, its Current IP Address, and the Ping output indicating that the device currently has no access to the server LAN IP 172.20.0.52.

Now, let's access the server RDP that has been published through the Quick Access Application

Open Remote Desktop Connection, enter the server's IP address, and click Connect.

Begin collecting GSA Traffic using the GSA Client to see the connection status.

The RDP session has been established, and it is prompting the end user to enter their password to log in to the server.

The GSA client did not prompt for authentication or MFA because the device is already joined to Entra ID, and a valid user is signed in. Additionally, an MFA claim is already present in the session. The Primary Refresh Token (PRT) with an MFA claim is used to meet the MFA requirements

The RDP session has been successfully established, and the details are shown in the screenshot below.

Now, let's access a sample client-server application developed using Python. The application is accessed over Port 5000.

The server-side application is running, and the client-side connectivity will be established using the FQDN and Port 5000, which we have already published using Quick Access.

Running the Python client application on the end-user PC will establish a connection to the server through the GSA Client, and the traffic can be monitored on the GSA application.

The server-side status displays the client currently connected to the server.

Now, let's access the File Server, which has been published using GSA Per-App config for the end user with a custom Conditional Access (CA) policy.

The File Server access is now successful, with the Conditional Access (CA) policy requirements met. The device is in a compliant state, and the MFA requirement has been satisfied.

The Entra GSA Dashboard has now been updated to reflect the Private Access status

Conclusion

Microsoft Entra Private Access is a transformative solution for secure and seamless access to private resources. By eliminating VPN dependency and leveraging Zero Trust principles, it empowers organizations to modernize access management while enhancing security and productivity.