You dont have javascript enabled! Please enable it! Step-by-Step – Evaluate Microsoft Entra Private Access - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

Step-by-Step – Evaluate Microsoft Entra Private Access

11 Min. Read

Updated—18/04/2024 — The Microsoft Entra application proxy connector is now the Microsoft Entra private network connector. The new name emphasizes the connector as a common component that enables secure access to any resource on the private network, whether using Microsoft Entra Private Access or Microsoft Entra application proxy.

Microsoft Entra Global Secure Access is a state-of-the-art platform that enables secure and efficient access to resources across organizations. It serves as a gateway allowing users to connect to corporate applications, data, and services, regardless of location.

Earlier this year, Microsoft unveiled a range of enhanced Security Service Edge (SSE) features as a component of their Microsoft Entra technology suite. Among these developments, Microsoft introduced the public preview of two novel secure remote access technologies, namely Microsoft Entra Internet Access and Microsoft Entra Private Access.

In this article, we will guide you through how to test and evaluate Microsoft Entra Private Access to access a private resource.

Microsoft Entra Private Access

Microsoft Entra Private Access is a cloud-based solution that utilizes the Azure Application Proxy access model, providing a Zero Trust Network Access (ZTNA) framework. By leveraging Azure Application Proxy, administrators can effortlessly publish private web and non-web applications that reside on-premises without the need for a VPN client simply by installing the connector on an on-premises server.

Through Microsoft Entra ID (formerly Azure AD) authentication and conditional access policies, administrators can ensure device compliance and enforce multifactor authentication (MFA) if necessary. Microsoft Entra Private Access extends the functionality of Azure Application Proxy to accommodate TCP and UDP-based applications, such as RDP, SSH, SMB, and HTTP/S to name a few. Previously, Azure Application Proxy only supported web applications, but now it supports TCP and UDP-based applications without requiring a VPN.

Microsoft Entra Private Access
Microsoft Entra Private Access

When a user requests access to corporate resources, Entra Global Secure Access acts as the gateway, authenticating the user’s identity. It verifies the user’s credentials and permissions before granting or denying access. If permission is granted, the user gains access to the requested resources, ensuring a secure and seamless experience. In cases where access is denied, Entra Global Secure Access blocks unauthorized attempts, maintaining the integrity of the organization’s data.

Access Private Resources using Microsoft Entra Private Access
Access Private Resources using Microsoft Entra Private Access

Related: Understanding Microsoft Entra Global Secure Access.

Let’s look at how to evaluate and test drive RDP access using Microsoft Entra Private Access.

Prerequisites

To follow this guide, you need to have the following:

1) Entra ID Tenant with minimum Microsoft Entra ID Premium P1 license. If needed, you can purchase licenses or get trial licenses.

  • One user with at least a Global Secure Access Administrator Role, Application Administrator, and Security Administrator to configure Microsoft Security Service Edge features.
  • At least one user or group to function as the client test user registered with MFA in your tenant.

2) One Windows Client device to test private access:

  • Windows 10/11 64-bit version.
  • Microsoft Entra ID joined, or hybrid joined (Not registered device).
  • Internet-connected and no corporate net access or VPN.
  • Local Admin privilege (required to install Global Secure Access agent).
Join Windows Client device to Microsoft Entra ID
Join Windows Client device to Microsoft Entra ID

3) Download and install the Global Secure Access (GSA) agent on the client device (more on this below).

4) One or more Windows Servers to function as the Connector (Application Proxy) server to test private access:

  • Windows Server 2012 R2 or later. It’s recommended that you use newer OS versions.
  • Network connectivity to Entra ID Service: Ports 80 and 443 are open to outbound traffic.
  • Network connectivity to Entra ID Service:  Allow access to required URLs.
  • Local Admin privilege (required to install the Connector service agent).
  • Remote Desktop enabled on the server side so you can test private access.

5) Download and install the Microsoft Entra private network connector on Windows Server (more on this below).

If you don’t have the necessary hardware, you can set up all machines on the same Hyper-V host, but most importantly, the Windows Client should NOT be on the same network or communicating with your Windows Servers. To do so, you could leverage the Hyper-V virtual switch Network Address Translation (NAT) capability, where you can create two NAT networks using two different subnets with Internet access.

Hyper-V virtual switch with NAT support
Hyper-V virtual switch with NAT support

Once you create the two NAT networks, you need to connect one Internal NAT switch to your Windows Server and the second one to your Windows 10/11 Client. Here is a PowerShell command that will help you to connect both:

# Connect Windows Client
Get-VM -VMName "Windows11" | Get-VMNetworkAdapter | Connect-VMNetworkAdapter –SwitchName "NATvSwitch1"

# Connect Windows Server
Get-VM -VMName "WindowsSRV" | Get-VMNetworkAdapter | Connect-VMNetworkAdapter –SwitchName "NATvSwitch2"

Assuming you have all the prerequisites in place, take the following steps:

Enable RDP Access using Entra Private Access

In this section, we will go through all the necessary steps that you need to configure, so you get RDP access to your corporate server using the Microsoft Entra Private Access part of Microsoft Entra Global Secure Access (GSA). The same steps will apply to other private access like SSH, SMB file sharing, Web applications, and so on.

Step 1: Enable Global Secure Access

The first step is simple, if this is a brand new Tenant, then make sure that you enabled Global Secure Access.

1) Go to https://entra.microsoft.com and then browse to get started with Global Secure Access.

Get started with Global Secure Access
Get started with Global Secure Access

Global Secure Access is Microsoft’s Security Service Edge, which is a centralized location in the Microsoft Entra admin center. This location enables you to manage and configure various features. Additionally, most settings and features apply to both Microsoft Entra Private Access and Microsoft Entra Internet Access. However, some features are specific to one of these. In this example, we are focusing on Microsoft Entra Private Access.

Step 2: Enable Traffic Forwarding

The next step is to enable traffic forwarding or traffic acquisition profiles.

1) Go to https://entra.microsoft.com and then browse to Global Secure Access (Preview).

2) Next, go to Connect and then select Traffic Forwarding.

Traffic forwarding profiles enabled administrators to select which traffic should be acquired and forwarded to Global Secure Access. Once you select one of these options (Microsoft 365 access profile, Private access profile, and soon Internet access profile), the forwarding profiles are assigned to any device in the tenant that is running the Global Secure Access client.

3) For the context of this example, select and enable the Private access profile. By doing this, it tells the GSA client that it should start acquiring traffic that is for Private access.

Enable Traffic forwarding for Private Access
Enable Traffic forwarding for Private Access

Step 3: Download and Install the GSA Client

The next step is to download and install the GSA client on Windows 10/11.

1) Go to https://entra.microsoft.com and then browse to Global Secure Access (Preview).

2) Next, go to Connect and then select Client Download.

3) Select Download Client under Windows, you can download it directly from this URL (https://aka.ms/GlobalSecureAccess-windows). At the time of this writing, the GSA Windows client is at version 1.7.376.1214. As a side note, you can also get early access to Android, iOS, and MacOS GSA clients.

Download GSA Client for Windows
Download GSA Client for Windows

4) Copy the GSA client to your Windows 10/11 machine and then install it (you need to have a local admin privilege to install the agent). Here is the Global Secure Access Client agent Summary window once is installed on your machine. The agent will turn to green once is connected.

Global Secure Access Client Connection
Global Secure Access Client Connection

At the time of this writing, the diagnostic console on the client machine would be accessible with admin permissions only.

Step 4: Enable Adaptive Access

For full integration of Conditional Access with Microsoft Entra Internet Access, as well as integration with Continuous Access Evaluation and Identity Protection, which are highly recommended and fundamental components of the Security Service Edge (SSE) solution, Source IP restoration must be enabled.

Source IP restoration is a process that restores the source IP addresses from the egress IP. This helps to improve the quality of security logs, such as the ones found in Entra ID sign-in logs. Additionally, it helps to maintain the integration of Conditional Access components, such as Named Locations, as well as Identity Protection elements that are related to location-oriented risks.

If you are planning to use Conditional Access policies for the Private access profile to be accessed from behind a compliant network, then you need to enable Adaptive Access under Global Secure Access > Session Management.

1) Go to https://entra.microsoft.com and then browse to Global Secure Access (Preview).

2) Next, go to Global Settings and then select Session Management.

3) Select the Adaptive Access tab and then toggle “Enable Global Secure Access signaling in Conditional Access” as shown in the figure below, and then click Save.

Enable Global Secure Access signaling in Conditional Access
Enable Global Secure Access signaling in Conditional Access

By doing this, it tells Global Secure Access to provide signaling for network location information to Conditional Access, enabling administrators to create Conditional Access policies that restrict user access to specific apps based on their use of the Global Secure Access client or a remote network.

If you don’t do this, then you cannot select the “All Compliant Network locations (Preview)” Network Access as a location type in your conditional access policies under Conditions.

Conditional Access with All Compliant Network locations
Conditional Access with All Compliant Network locations

Please note that you can still use Conditional Access and Global Secure Access for private access apps without Adaptive Access for network location. You can also configure other conditions and access controls and assign users and groups as needed.

It’s important to note that if your organization uses Conditional Access policies that rely on a compliant network check, disabling Global Secure Access signaling in Conditional Access could inadvertently prevent targeted end-users from accessing resources. If you need to disable this feature, make sure to first delete any related Conditional Access policies.

Step 5: Download and Install the Private Network Connector

Updated—18/04/2024 — The Microsoft Entra application proxy connector is now the Microsoft Entra private network connector. The new name emphasizes the connector as a common component that enables secure access to any resource on the private network, whether using Microsoft Entra Private Access or Microsoft Entra application proxy. The same connector can be simultaneously used for both solutions! The new name now appears in the user interface components.

The next step is to download and install the Private Network agent on Windows Server, which will act as the Connector server to our on-premises resources.

IMPORTANT: Please ensure you download and install the latest connector (Build v1.5.3829.0) to ensure support for all new features.

1) Go to https://entra.microsoft.com and then browse to Global Secure Access (Preview).

2) Next, go to Connect and then select Connectors.

3) Click on the Download connector service and then Accept Terms & Download.

Download Application Proxy Connector
Download Application Proxy Connector

4) Copy the “AADApplicationProxyConnectorInstaller.exe” to your Windows Server and then install it (you need to have a local admin privilege to install the Connector service).

5) Accept the license terms and conditions and follow the wizard.

Installing Microsoft Azure Active Directory Application Proxy Connector
Installing Microsoft Azure Active Directory Application Proxy Connector

6) Then sign in to Microsoft Azure with your Entra ID account which has a Global Secure Access Administrator, Application Administrator, or Security Administrator role.

Sign in to Microsoft Azure
Sign in to Microsoft Azure

7) Once the setup is completed, close the Microsoft Azure Active Directory Application Proxy Connector setup wizard.

Microsoft Azure Active Directory Application Proxy Connector Setup
Microsoft Azure Active Directory Application Proxy Connector Setup

8) Then switch to the Microsoft Entra admin center portal, create a New Connector Group under the Application proxy page, and select the newly added connector(s). You should the status of the server as “Active” and green as shown in the figure below. It’s strongly recommended to create a new connector group and have the Default group empty because once you install the Azure Active Directory Application Proxy Connector, it goes to the Default connector group. It’s also recommended to have two or more active connectors in each group for high availability.

Please note that if this is the first connector that you are provisioning, that may take some time to show up on the Application proxy page.

Create a New Connector Group
Create a New Connector Group

To learn more about connectors, see Understand the Microsoft Entra private network connector.

Step 6: Create and Publish a Private Application

Next, we need to create and publish a private application.

1) Go to https://entra.microsoft.com and then browse to Global Secure Access (Preview).

2) Next, go to Applications and then select Enterprise Applications. As a side note, you could also use the Quick Access blade to create a quick access configuration that further simplifies VPN replacement. In this example, we will use the Enterprise applications option.

3) Click on New application, give it a descriptive Name, and then select the Connector Group for the Application proxy that you created in the previous step. The “Enable access with Global Secure Access Client” is selected by default.

Create a new enterprise private application
Create a new enterprise private application

4) Then scroll to the Application Segment section and click Add application segment. Select the destination type that you want to use, the default is an IP address, you could use a Fully qualified domain name, IP address range (CIDR), or IP address range (IP to IP). We will leave the default here and then enter the private IP address for our Connector server on-premises and type 3389 next to Ports for RDP access. You could also publish Remote Desktop on a different port rather than the default port 3389 for added security. Then click Apply to continue.

Create application segment
Create application segment

5) Last, click Save to create the Global Secure Access application.

Create a Global Secure Access application
Create a Global Secure Access application

Step 7: Assign users and groups to the Private Application

Once the private application is created, you need to add the users or groups that you need to allow to access the private application. If you don’t do that, you will receive the following Private Access Applications error message when the user tries to access the local application.

ZTNA Network Access Client -- Private
ZTNA Network Access Client — Private

1) Go to https://entra.microsoft.com and then browse to Global Secure Access (Preview).

2) Next, go to Applications and then select Enterprise Applications.

3) Select the newly created private application. In this example, it’s RDP Private Access.

4) Then go to the Users and Groups page and click Add user/group, then add the desired user or group to allow access.

Add users and groups to the Private Application
Add users and groups to the Private Application

Now we are ready to test and verify the RDP private access to our local server.

Test and Verify Private RDP Access

At the time of this writing and before we start connecting remotely from the Windows Client using the Remote Desktop Connection app, we need to disable Network Level Authentication (NLA) on the on-premises machine that we want to connect to. In this example, it’s our Windows Server. Please note that this might change in the future, but today if you don’t do this, you will receive the following error message when you try to authenticate.

\\The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. You can try connecting to the remote computer using your username and password instead//

Network Level Authentication (NLA) error
Network Level Authentication (NLA) error

This is because the client uses DNS to find the Kerberos Key Distribution Center (KDC) endpoint and NLA relies on Kerberos. There are a bunch of service-located DNS records in a DNS for an AD domain that your client needs to be able to resolve. We have to have private DNS for the client to be able to discover the KDC. So, even if you published everything today including your DCs and the right ports, that private DNS piece is missing. Hopefully, Microsoft will resolve that missing piece and get private DNS working in the future.

Next, switch to the Windows Client machine and then open the Global Secure Access Client Connection diagnostics from the taskbar, so we can see if we are acquiring traffic first. This is always a good practice to start with. As mentioned earlier, the diagnostic console on the client machine would be accessible with admin permissions only.

GSA Connection diagnostics
GSA Connection diagnostics

Under the Flows tab, you should see the following “private.edgediagnostic.globalsecureaccess.microsoft.com“.

Global Secure Access Client Connection diagnostics
Global Secure Access Client Connection diagnostics

If you don’t have admin permission locally on the device, then you could also open the Client Checker utility built into the GSA client which will perform an auto-check against the Global Secure Access service. You should verify that the “Private’s edge reachable” and the “Private tunneling success” are “YES“.

GSA Client checker
GSA Client checker

Now, we are good to go and test the private access connection. Switching to our machines on-premises, we have the Windows Server on the left side and Windows 11 on the right side. We can see that the client cannot reach our Windows Server IP 192.168.0.250 on the local LAN.

Windows Server and Windows client side-by-side without interconnection
Windows Server and Windows client side-by-side without interconnection

Next, open the Remote Desktop Connection app on the client device and enter the IP address to connect to your Windows Server. You could also use the following command “mstsc /v 192.168.0.250” to connect directly, and if you are publishing Remote Desktop on a different port rather than the default port 3389 for added security, then you can append the port number at the end of the command as follows “mstsc /v 192.168.0.250:3395“.

Enter your credentials
Enter your credentials

After we authenticate and assume that the user is also a member of the local Remote Desktop Users group on the server, you should be able to connect successfully to the private IP address from the device where we installed the Global Secure Access client. Bingo!!!

Connecting to RDP with private IP through Entra Private Access
Connecting to RDP with private IP through Entra Private Access

Checking the Flow logs tab from the Global Secure Access Client Connection diagnostics, we can see that we acquired traffic and connected remotely to “192.168.0.250” through Microsoft Entra Private Access. Please note that we’re not acquiring by Hostname, we’re acquiring by IP which is visible under the Flow tab.

Step-by-Step – Evaluate Microsoft Entra Private Access 1

Checking the traffic logs from Microsoft Entra admin center > Global Secure Access portal by navigating to the Traffic logs blade under Monitor and then filtering the destination IP that we accessed remotely “192.168.0.250“, we can see that the traffic is Private, the User principal name is “john.peter@“, and the Source IP which is coming from a public IP address.

Global Secure Access | Monitor > Traffic logs
Global Secure Access | Monitor > Traffic logs

Then if you click on one of these logs to check the Activity Details, we can notice the destination IP 192.168.0.250“, destination Port 3389“, source IP “public IP”, and source Port accessed using the Private traffic type using the user principal name “john.peter@“.

Global Secure Access | Monitor > Traffic logs > Activity Details
Global Secure Access | Monitor > Traffic logs > Activity Details

There you have it. Happy Accessing Private Resources without a VPN using Microsoft Entra Private Access!

In Conclusion

In this guide, we showed you how to test and evaluate Microsoft Entra Private Access step-by-step by accessing a local Windows Server through a Remote Desktop Connection (RDP).

Private Access offers two ways to set up the private resources that you want to securely access through the service. The first way is by configuring Quick Access, which is the primary group of fully qualified domain names (FQDNs) and IP addresses that you want to secure. The second way is by configuring a Global Secure Access app for per-app access, which is what we showed in this guide that allows you to specify a subset of private resources that you want to secure. The Global Secure Access app gives you a more detailed approach to securing your private resources.

The Microsoft Entra Private Access comes with features that enable you to replace your VPN solution with a one-time configuration process. This allows secure access to your internal resources while using the secure capabilities of Conditional Access.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.
Previous

Supercharge Your Threat Analysis with Microsoft Sentinel Enrichment Widgets

AWS Cost Management Tips and Tricks

Next

Let us know what you think, or ask a question...