Table of contents
1. Introduction
Introduction
In the ever-evolving landscape of digital security and remote work, Microsoft Entra Private Access stands as a cutting-edge solution, offering secure and seamless access to corporate resources for users, irrespective of their location. This new service extends beyond the capabilities of the Microsoft Entra application proxy, enabling access to any private resource, including specific ports and protocols. It's particularly beneficial for organizations with hybrid and multicloud environments, as well as private networks and data centers. Unlike traditional VPNs, Entra Private Access allows remote users to connect to private applications from any compliant device and network, simplifying the process and enhancing security.
The key features of Microsoft Entra Private Access make it a standout choice for modern organizations. It provides quick, Zero Trust-based access to internal IP addresses and FQDNs, eliminating the need for a legacy VPN. This system supports per-app access for TCP apps, with UDP support currently in development, ensuring a broad range of applications can be securely accessed. Moreover, it modernizes legacy app authentication through deep Conditional Access integration, offering a more granular level of security compared to standard VPNs. For end-users, the experience is seamless, with the service acquiring network traffic directly from the desktop client and allowing integration with existing third-party SSE solutions. In essence, Microsoft Entra Private Access offers a sophisticated, user-friendly approach to remote access, aligning with modern security needs and enhancing the flexibility of work environments.
The importance of secure remote access in today's work environment
In today's interconnected world, secure remote access is more than a convenience; it's a necessity for modern businesses. It safeguards sensitive data against escalating cyber threats, ensuring that company information remains protected, no matter where employees are working from. This security is vital for maintaining the integrity of business operations and complying with data privacy regulations.
Beyond security, the flexibility offered by secure remote access boosts productivity, allowing employees to work efficiently from any location. This adaptability is crucial for business continuity, especially in emergencies like natural disasters or pandemics, ensuring operations can continue without significant downtimes.
Moreover, secure remote access is cost-effective, reducing the need for extensive physical office spaces and resources. It also facilitates global collaboration, enabling businesses to tap into a diverse talent pool and work seamlessly across different geographies.
In summary, secure remote access is a cornerstone of modern business, blending flexibility, security, and efficiency to meet the demands of a digital-first world.
Microsoft Entra Private Access key features and benefits
Microsoft Entra Private Access offers several key features and benefits designed to enhance secure access to corporate resources. Here's a rundown of its most notable features and the advantages they provide:
Secured Access to Corporate Resources: Entra Private Access ensures that users, whether in an office or working remotely, have secure access to private, corporate resources. This includes a range of applications, services, and data, essential for maintaining productivity and efficiency in a distributed workforce.
Support for Various Environments: The service facilitates remote access to private apps across hybrid and multicloud environments, as well as private networks and data centers. This broad compatibility is vital for businesses operating in diverse IT environments.
No VPN Requirement: Users can connect from any Entra ID joined device and network without the need for a traditional VPN. This feature simplifies connectivity, reduces the complexity of the network infrastructure, and often results in better performance and user experience.
Per-App Adaptive Access: Entra Private Access offers per-app adaptive access based on Conditional Access policies. This approach provides more granular control and security than a VPN, allowing businesses to tailor access rights and security measures to specific applications and user roles.
Zero Trust-Based Quick Access: The service is grounded in Zero Trust security principles, providing quick access to a range of IP addresses and FQDNs. This approach assumes no implicit trust and verifies every request as though it originates from an open network, enhancing overall security.
Modernization of Legacy App Authentication: Entra Private Access enables businesses to modernize the authentication of legacy applications with deep Conditional Access integration. This feature is particularly beneficial for organizations looking to upgrade their security posture without completely overhauling their existing applications.
Seamless User Experience: The solution is designed to provide a seamless end-user experience. It integrates smoothly with existing third-party Secure Service Edge (SSE) solutions and acquires network traffic from the desktop client, ensuring that users have a hassle-free access experience.
Support for TCP Apps with UDP in Development: It currently supports per-app access for TCP applications, with UDP support in development, ensuring that a wide range of applications can be securely accessed as the service evolves.
How does it differ from a traditional VPN?
Microsoft Entra Private Access represents a significant advancement in secure remote access technology, particularly when compared to traditional Virtual Private Network (VPN) solutions. Understanding this difference requires delving into the technical aspects of both systems:
Network Access and Architecture:
VPN: Traditional VPNs create a secure tunnel between the user's device and the corporate network, effectively extending the network's perimeter to the user's location. This approach can potentially expose the entire network to vulnerabilities if a user's device is compromised.
Entra Private Access: In contrast, Entra Private Access operates on a Zero Trust model, which means it does not inherently trust any user or device, regardless of their location. Access is granted on a need-to-know basis, limiting exposure to the broader network. It provides access directly to specific applications or services rather than the entire network.
Application-Level Access Control:
VPN: VPNs typically offer network-level access, which might not be granular enough to control user access to specific applications or data.
Entra Private Access: This service enables per-app adaptive access based on Conditional Access policies. It offers more refined control, allowing administrators to define access rights at the application level, thereby enhancing security.
Authentication and Authorization:
VPN: Authentication in VPNs is usually at the point of entry, i.e., when the user first connects to the VPN.
Entra Private Access: It integrates deeply with Conditional Access policies, allowing for continuous assessment and re-assessment of user credentials and context. This means that access can be dynamically adjusted based on user behavior, location, device health, and other factors, offering a more robust security posture.
User Experience and Performance:
VPN: VPNs can sometimes cause network performance issues due to the added overhead of encrypting and routing all traffic through the VPN server. Users might experience slower connections, especially when accessing cloud-based services.
Entra Private Access: It provides a more seamless user experience by connecting users directly to the applications they need through dedicated tunnels in Microsoft's global private wide area network. This can lead to better performance, particularly for cloud-based applications.
Deployment and Scalability:
VPN: Traditional VPN solutions might require significant infrastructure and management overhead, especially as the number of remote users increases.
Entra Private Access: Being a cloud-based solution and built on Microsoft's global private wide area network, it is inherently scalable and easier to manage. It does not require the same level of infrastructure investment as a traditional VPN.
Security Against Lateral Movement:
VPN: Once inside the network via VPN, a malicious actor or compromised user account can potentially move laterally across the network.
Entra Private Access: By providing only application-level access, it significantly reduces the risk of lateral movement within the network, a critical factor in mitigating the impact of potential security breaches.
Microsoft Entra Private Access offers a more modern, secure, and efficient approach to remote access compared to traditional VPNs. Its focus on Zero Trust principles, application-level access, dynamic authentication, and better user experience represents the evolution of remote access solutions in response to contemporary cybersecurity challenges.
Quick Access and Global Secure Access apps
When you configure the Quick Access and Global Secure Access apps, you create a new enterprise application. The app serves as a container for the private resources that you want to secure. The application has its own Microsoft Entra application proxy connector to broker the connection between the service and the internal resource. You can assign users and groups to the app, and then use Conditional Access policies to control access to the app.
Quick Access and Per-app Access are similar, but there are a few key concepts to understand so you can decide how to configure each one.
Quick Access app
Quick Access is the primary group of FQDNs and IP addresses that you want to secure. As you're planning your Global Secure Access deployment, review your list of private resources and determine which resources you always want to tunnel through the service. This primary group of FQDNs, IP addresses, and IP ranges is what you add to Quick Access.
Global Secure Access app
A Global Secure Access app could be configured if any of the following scenarios sound familiar:
I need to apply a different set of Conditional Access policies to a subset of users.
I have a few private resources that I want to secure, but they should have a different set of access policies.
I have a subset of private resources that I only want to secure for a specific time frame.
The Global Secure Access app takes a more detailed approach to securing your private resources. You can create multiple per-app access apps to secure different private resources. Paired with Conditional Access policies, you have a powerful yet fine-grained way to secure your private resources.
With those explanations out of the way, let's get to the fun stuff - Configuring and testing it!
For this article, we will be exploring the configuration and testing of Quick Access.
Quick Access configuration
Prerequisites
To configure Quick Access, you must have:
The Global Secure Access Administrator and Application Administrator roles in Microsoft Entra ID
The preview requires a Microsoft Entra ID P1 license
To manage App Proxy connector groups, which is required for Quick Access, you must have:
An Application Administrator role in Microsoft Entra ID
Microsoft Entra ID P1 or P2 licenses
To configure Conditional Access policies, you must have:
Conditional Access Administrator or Security Administrator to create and interact with Conditional Access policies.
Windows server
To use Application Proxy, you need a Windows server running Windows Server 2012 R2 or later. You'll install the Application Proxy connector on the server. This connector server needs to connect to the Application Proxy services in Azure, and the on-premises applications that you plan to publish.
For high availability in your environment, we recommend having more than one Windows server
The minimum .NET version required for the connector is v4.7.1+
For more information, see App Proxy connectors
For more information, see Determine which .NET framework versions are installed
You can review additional requirements such as allow URLs and required ports here: How to configure connectors for Microsoft Entra Private Access - Global Secure Access | Microsoft Learn
The lab
For my testing the lab environment consists of the following:
1 x Windows Server 2022, domain controller
1 x Windows Server 2022, file server
1 x Windows Server 2022, remote desktop session host
1 x Lenovo ThinkPad (end user client device)
1 x Active Directory user synced to Entra ID via Entra Connect cloud sync (if accessing on-premises resources the user accounts must exist on-prem and already have the appropriate access to the private apps)
I'll assume you are already syncing user accounts and setup of file servers/remote desktop is out of scope for this guide. In our lab environment we will be enabling the following:
Private Access
A private network connector
A Quick Access app
Creating and enabling the required Conditional Access policies
Installing the Global Secure Access client (including how to deploy using Intune)
The private apps we will be looking to access are the file server via file explorer and connecting the user to the session host, both familiar scenarios that many organizations will be doing via legacy VPN or gateways.
Enabling Global Secure Access
To enable Global Secure Access start by heading to the Get Started tab of the Global Secure Access (Preview) option in the Entra portal and then Activate.
Next expand Global settings >> Session management
Adaptive Access ensures you still benefit from capabilities such as continuous access evaluation and Identity Protection. You can find out more here: Enable source IP restoration with the Global Secure Access preview - Global Secure Access | Microsoft Learn It is technically not required for this, but I think it's worthwhile enabling.
Next enable the traffic forwarding profile for private access, you can do this from Connect >> Traffic forwarding.
Once enabled and once applications have been created you can edit the policies from the private access policies section, because Quick Access is a pre-defined policy there are no options to "view" the policies.
Just keep in mind if you are configuring individual Global Secure Access apps, you must come back into this portal and assign the applications to the private access profile.
Creating Private Network connectors
Installing the connector is simple and can be done by downloading the installer from Connect >> Connectors >> Download connector service.
You will notice if this is your first time here that Private Network is currently disabled for your tenant. This notice will be removed once you have created your first connector and enabled Private Network connectors.
It is worth noting here that if IE Enhanced Security Configuration is set to On, you may not see the registration screen. It is recommended to set this to Off on the server you are going to install the connector on.
Run through the install which is simple and verify the connector shows up in the Default connector group. Your mileage may vary here but I had to reboot the server after the installation (I did have reboots pending). Here's my connector although mine is in a connector group, so onto those next.
Verify the installation of your connector: How to configure connectors for Microsoft Entra Private Access - Global Secure Access | Microsoft Learn
Connector Groups
Connector Groups can be used to publish applications on separate networks and locations. With connector groups you can assign specific connectors to serve specific applications: Publish apps on separate networks via connector groups - Microsoft Entra ID | Microsoft Learn
Creating a new group is as simple as clicking the New Connector Group button, giving it a name, and choosing the connectors you want to include in the group.
To use Quick Access you must configure a connector group with at least one active App Proxy connector.
Configure Quick Access
From underneath Global Secure Access (Preview) now head to Applications >> Quick Access.
From here we give the application a name, it is recommended to name it "Quick Access". Choose your connector group then hit save.
Next, we configure the Quick Access application segment - These are the FQDNs, IP addresses and ports that you want to include in the Microsoft Entra Private Access. I want to allow access to the file server via IP address and the session host via both IP address and FQDN, here's what mine looks like.
As my user will be accessing the file shares via SMB, we must add the port associated with this protocol which is 445 along with my file server IP address. I do the same for the remote desktop session host, but I also add the FQDN and associated port. Go ahead and save your configuration.
Keep in mind that you can come back to this setting page and add/remove application segments after the initial setup is complete.
Assign users and groups
Once the Quick Access configuration has been completed, a new enterprise app is created for you. You must add the users or groups that you want to allow access to this application. From the Quick Access configuration pane select the Edit application settings button.
The page you see will be familiar for those used to managing cloud apps. Select the users and groups option.
From here you need to add the users that you want to the application. In my case I assign an AD synced user that has access to both the file server share and the remote desktop session host.
Apply Conditional Access
Next, we will create a Conditional Access policy that will define the conditions and grant controls to allow access to the private apps. This is particularly useful for adding granular security controls to legacy on-premises applications, for example, we could configure a CA policy that requires MFA to connect to the remote desktop server or require acceptance of Terms of Use, whatever floats your boat. Just keep in mind that with Quick Access you can only target the one app so all conditions and grant controls will apply to all app segments, if you want granular controls per app you need to create individual Global Secure Access apps.
From the same application configuration pane select Conditional Access, this will open the CA portal selecting New policy will start the create new policy wizard with the Quick Access application pre-selected.
For my example I have kept it simple - We require Microsoft Authenticator MFA which has been configured as a custom authentication strength to access the Quick Access application. You could also require a compliant device here but keep in mind that the device must already be Entra ID joined to use the Global Secure Access client as well. You could think of this solution as an alternative to the Azure MFA extension as we can now enforce MFA via Conditional Access for access to Remote Desktop.
Once the CA policy has been created and assigned to our test user, we can enable the policy.
Installing the Global Secure Access client
The client is required to connect to the Secure Service Edge (SSE) provided by Microsoft.
Installing the client is simple and can be done from the Global Secure Access (Preview) >> Connect >> Client download pane.
But installing the client is too easy, let's look at deploying it via Intune!
Download the client and wrap it as a Win32 app (you can follow the same steps as used in this post to convert to Win32 app).
Upload the app to Intune and use the following settings.
Name: Global Secure Access Client
Publisher: Microsoft
Install command: GlobalSecureAccessClient.exe /quiet
Uninstall command: GlobalSecureAccessClient.exe /uninstall /quiet
Install behavior: System
Requirements: Set your preferred requirements
Detection rule type: File
Path: %ProgramFiles%\Global Secure Access Client\
File or folder: GlobalSecureAccessClient.exe
Detection method: File or folder exists
Assign the app to your devices or users.
Connecting to the Secure Service Edge
Once the client has been installed you will see the following icon in the task tray, right clicking the icon provides a few options, all of which can be explored here: The Global Secure Access Client for Windows (preview) - Global Secure Access | Microsoft Learn
You will receive a modern authentication window popup for each traffic forwarding profile type that you have enabled (Internet, Private and M365) and you must authenticate for each profile type.
Once authenticated the task tray icon will update to have a green tick.
At this point I connected my Lenovo laptop which was Entra joined and signed in as our test user (Arthur Dallas) to the hotspot on my phone.
I then fired up Remote Desktop Connection, I started by attempting access to the Remote Desktop server via the FQDN.
As you can see during the initialization a new modern authentication window has popped up. This is where our CA policy is kicking in and choosing my test user account, I am followed by an MFA prompt, as expected.
After which it successfully connects to the RDSH.
Attempting the same using the IP address yields the same result.
And what about those file shares? Well navigating via File Explorer using the IP address works as expected.
We can see additional information from Global Secure Access (Preview) >> Monitor >> Traffic logs.
And there you have it! Remote access to on-premises resources via Microsoft's Secure Service Edge, and this was all via a 4G connection on my mobile! I am really excited to see how this technology will be adopted and evolve over time, exciting things to come!