Microsoft Entra Private Access

Introduction

In the previous post, we covered the basic configuration of Global Secure Access via the Microsoft Entra portal, along with discussions on Microsoft 365 and Internet Policies.

This blog post will delve into the second aspect of Global Secure Access, specifically focusing on Entra Private Access. We will shed light on this subject through a relatively simple example, demonstrating how it can be configured and show why a classic VPN client is no longer absolutely necessary.

Prerequisite

What are the requirements to use Entra Private Access in the company?

  • Entra Built-In Role (one of them)
    • Global Secure Access Administrator
    • Security Administrator
    • Global Administrator
  • Microsoft Entra ID P1
  • Microsoft 365 E3 (Recommended for data traffic forwarding)
  • Global Secure Access client (Windows and Android)
  • Devices must be either Entra joined or Entra hybrid joined -> Entra registered devices aren’t supported
  • Microsoft Entra private network connector

Configuration

Installing Entra Private Network connector

To utilize Entra Private Secure Access, it is required to have a connectors installed within the network. I will demonstrate how such a connector can be installed.

It’s important to note
The connector must be installed on a Windows Server 2012 or newer, and it requires at least .NET version 4.7.1 or higher.

  1. Go to Global Secure Access (Preview) -> Connect-> Connectors
  2. Press Download connector service

  3. Accept terms & Download
  4. Connect to the server where you want to install the Private network connector
  5. Execute MicrosoftEntraPrivateNetworkConnectorInstaller.exe and accept license and terms
  6. Log in with your Global Administrator credentials
  7. After installing the connector, refresh Microsoft Entra portal and you should see a new connector in status Inactive

  8. Important: Enable Private Network connections

Private access profile

In this step, we activate and configure the Private access profile.

  1. Go to Global Secure Access (Preview) -> Traffic forwarding

  2. Navigate to Private access profile and activate
  3. As soon as the Private access profile is active, the connector status switch to Active

Add Enterprise applications

To successfully establish a connection to a private resource within the network, such as a File Share, it is necessary to create an Enterprise application.

  1. Navigate to Global Secure Access (Preview) -> Applications -> Enterprise applications

  2. Create a new application
  3. Add application segment and define your endpoint, in my case SMB file share
  4. Set an application name and define the Connector Group

  5. Assign this Enterprise application to Users or Groups
  6. Sign in to your client device and and make an SMB connection to your server.

Conditional Access Policy

The endpoints can now be secured with a conditional access policy, for example with MFA. I will briefly explain how such a CAP could look like, which asks an MFA query before the SMB call.

  1. Go to Global Secure Access (Preview) -> Applications -> Enterprise applications

  2. Choose the created Enterprise application

  3. Switch to Conditional Access and click New policy

  4. Define a policy name, users, target already chosen, Grant -> Require multifactor authentication

  5. Save this policy and wait a few minutes before you try again an SMB connection from your device to your Fileserver.

Good to know

If you want to gain quick access to several applications in your own network, you can configure this via Global Secure Access (Preview) -> Applications -> Quick Access.

The idea behind this should be that this is a temporarily configured access and not permanent. Here I recommend following the Zero Trust principle and configuring each individual application as an enterprise application and only making it available to those employees in the company who really need it.

Summary

In my opinion, Microsoft Entra Private Access is a very exciting product which is still in public preview, but is already a possible alternative to conventional VPN clients such as F5, Fortinet, OpenVPN or similar.

I recommend that every IT administrator familiarise themselves with the functionality in the preview now, as this has a lot of potential in the future, especially in combination with Microsoft Entra Internet Access respectively Global Secure Access (GSA).

Source: Microsoft Learn – Private Access

You might also like