Finally! Private Access for Domain Controllers is Here
Lock down Domain Controllers with Conditional Access magic.
You know those tech features you’ve been eagerly waiting for, counting down like a kid before Christmas? Yep, that’s me with the new Private Access for Domain Controllers. Nerd alert… totally guilty!
Why should you care? Well, let’s say someone’s password gets compromised. Without the right checks like Multi-Factor Authentication (MFA), device compliance, location, or risk assessment, the bad guys can’t get far. The sensor won’t issue a Kerberos ticket, effectively putting a stop to lateral movement. Pretty neat, huh?
Let’s Get This Party Started (Setup Time!)
I’m going to skip the entire Private Access installation because that’s a whole other ballgame. If you’re new to it, check out my earlier series. Today, we’re laser-focused on setting up Private Access for our beloved Domain Controllers.
First things first, hop into Entra and navigate to Global Secure Access > Connect > Connectors and Sensors. Once you’re there, select Private Access Sensors and click Download. Important: Install this sensor on your Domain Controller and ensure TCP port 1337 is open in Windows Firewall (more on that here in a second).
Installing the Sensor
The installation is refreshingly straightforward. After a few minutes go ahead, grab that coffee you’ll see the sensor pop up as active.
Just sign in with your account that has at least Global Secure Access admin rights.
After a few minutes go ahead, grab that coffee you’ll see the sensor pop up as active. If it’s dragging its feet, patience (and caffeine) is key!
Registry Keys and Breaking the Glass
Back on your DC, you’ll find a couple of registry settings worth noting:
- AuditMode: This key is set to report-only mode by default. Want to switch gears and go live? Flip this to 0.
- TmpBreakglass: As dramatic as it sounds, setting this to 1 temporarily allows all traffic through your digital version of “in case of emergency, break glass.”
After modifying either of these values, you will need to restart the Private Connector service. I also found that during testing, if I run into an issue where I’m locking myself out, I can just stop the service. I broke my domain a few times during testing.
The JSON Files
On your DC, two JSON files await your attention:
- Cloud Policy: Managed through Entra cloud. Double-check that the SPNs you care about—like cifs/* or your DC’s own SPN are correctly listed.
- Local Policy: Perfect for overrides. Crucially, add your Private Network Connector’s IP address in the “SourceIPAllowList” section. This ensures only your approved connector can pass Kerberos requests everything else gets the boot.
This is IMPORTANT (if I could make this flashing text I would). Microsoft recommends testing this functionality on your private apps first. You can cause issues if testing this in a production environment. Please don’t go big bang right out of the gate.
Windows Firewall (It’s Okay, Deep Breaths!)
Yes, you need to open port 1337 TCP in your Windows Firewall. I know, eyebrows might raise, but remember: your network firewall is your shield. This doesn’t have to be visible to the outside world.
Here’s your handy command:
New-NetFirewallRule -DisplayName "Entra Private Access Sensor" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 1337 `
-Action Allow `
-Profile Domain,PrivateTime for the Big Test
With everything in place, let’s see this magic in action. I’ve set up an SPN for my file share. The result? Without meeting the GSA client and CA conditions, access is a no-go.
On my test machine, the GSA client is off. Attempting to access the share gives a “Nope!” message.
Once I enable the GSA client and authenticate, everything magically falls into place access granted!
The Best Part
My favorite part? Wrapping it all up with Conditional Access (CA) policy. Imagine requiring a compliant device, and someone tries to sneak in with a non-compliant one. They’re swiftly shown the digital door with a polite but firm “access denied” message.
There we have it, Private Access made simple (and secure)! Happy securing!
