Microsoft Entra Private Access — secure any app with Conditional Access
This short post will explain the new capabilities of Microsoft Entra Private Access to:
- Enable access to internal apps and protocols when connected with the Global Secure Access client
- Secure access with Conditional Access
Enable MFA for protocols which never was possible before!
In the next steps I am going to briefly show you how to setup Private Access in order to connect from any device to a server with RDP and MFA! Wow, that was never possible before 🥳
Steps
- Enable Microsoft Entra Private Access
- Download & install the Global Secure Access client
- Configure Quick Access
- Implement Conditional Access policy
Afterwards take a look at the demo.
Important: Global Secure Access is still in preview! read more: What is Global Secure Access (preview)? | Microsoft Learn
Setup & prerequisites
As a prerequisite, please make sure you install a Connector Service. (also known as Azure AD Application Proxy connector) It is important that this connector has connectivity to the internal resource (essentially IP or FQDN) which we specify later.
1 — Enable Microsoft Entra Private Access
Go to the Microsoft Entra admin center and expand the Global Secure Access pane. You may need to enable this feature for the tenant first.
Go to Traffic forwarding and make sure the Private access profile is enabled. (Also for troubleshooting you can disable & enable again)
2 — Download & install the Global Secure Access client
Install the client executable on any device and sign-in with your Entra ID account.
The service should then be running. You can verify that when opening the Connection Diagnostics and see the Channels and Services:
3 — Configure Quick Access
Quick Access is an Enterprise Application in your tenant which is coming from Microsoft Entra SSE. As you can see, this is an Global secure access application, where a new tab of Network access properties is visible. What you specify here:
- Choose a (App Proxy) Connector group
- Add one or multiple entries for application segments / specify the IP or FQDN of any internal resource and the port (3389 for RDP, 445 for SMB)
Currently only ports with TCP work, UDP is still in development.
It is important that you assign the users/groups which should be enabled to use this feature.
4 — Implement Conditional Access policy
Create a new Conditional Access policy where you add the Quick Access app (this can also be renamed in the GSA segment) as target resource. Choose Grant access and select one of the controls. In my case I have added an Authentication strength to make sure MFA was not previously satisfied on my device.
Demo
Device 1: Windows client, IP 172.25.96.76 coming from any client network
Server 1: Windows server, IP 192.168.1.205 in another network
- Let’s connect via remote desktop
2. See that authentication request, which is coming from Conditional Access
3. Authenticate with a user from the remote device and there you go with an established RDP connection secure by Conditional Access 🔐
Logs
Connection Diagnostics
On the device you can open the Connection Diagnostics, as shown before. Here you can see the internal destination IP on destination port 3389 via TCP.
Entra admin center
Go to Global Secure Access > Monitor > Traffic logs to view all connections to any channel.
Conditional Access
Take a look at the sign-in logs and apply a filter for the application to contain “ZTNA”.
Shoutout to John Savill’s video which showed me some important concepts!
