Exploring Microsoft Entra Private Access
In today’s world, where remote and hybrid work is the norm, securing access to internal applications is more important than ever. That’s where Microsoft Entra Private Access comes in. It provides a Zero Trust Network Access (ZTNA) solution, allowing users to securely connect to private apps without the need for a traditional VPN.
If you’re looking to get started with Entra Private Access, this guide will walk you through the essentials.
Why Entra Private Access?
Traditional VPNs are often slow, difficult to manage, and pose security risks if not properly configured. Entra Private Access offers a modern alternative by:
- Enforcing Zero Trust principles – No automatic trust, every request is verified.
- Providing seamless access – Users can connect securely without the hassle of VPN tunnels.
- Enhancing security – Conditional Access policies can be applied to private apps.
- Reducing attack surface – No need to expose applications directly to the internet.
Setting Up Private Access
Getting started with Private Access is pretty straightforward. The first step is enabling the Traffic Forwarding profile in Microsoft Entra. Think of traffic forwarding as the traffic cop of your network it ensures that data from devices and endpoints is securely and efficiently routed through the Entra service. It’s all part of the Zero Trust network access (ZTNA) framework, meaning every bit of traffic is authenticated, encrypted, and monitored before it reaches your corporate resources.
To set this up, just head to Global Secure Access > Connect > Traffic Forwarding and enable the Private Access Profile.
The next step is setting up the Private Network Connectors in Entra. Don’t worry; it’s not as complicated as it sounds. You’ll just need an account with at least the Application Administrator role in Entra to get started. The connector acts as a bridge between your internal network and Microsoft’s cloud, allowing secure access to private applications.
Here’s how you do it: go to Global Secure Access > Connect > Connector and download the Connector Service. Once you’ve got it, install the service on a member server. Microsoft has some detailed documentation on setting these up, so if you’re curious or need a deeper dive, you can check that out here.
The installation of the connector is straightforward. After launching the executable, click the install button. You will be prompted to enter your Entra credentials, which need to be at least Application Administrator in Entra. After entering your credentials, you will be prompted to restart the server.
You will be prompted to enter your Entra credentials. These credentials need to be at least Application Administrator in Entra.
You can organize the connectors into connector groups. By grouping multiple connectors, organizations can achieve high availability and load balancing, ensuring consistent performance and fault tolerance.
Creating an Application Segment
With the connector up and running, it’s time to set up an application segment. Think of these segments as neat little groups of resources whether it’s URLs, domains, IP addresses, or ports that let you fine-tune your access policies. They’re a great way to enforce Zero Trust principles while keeping things organized and secure.
Here’s how to do it: Head to Global Secure Access > Applications > Enterprise Applications. Click on New Application, give it a name, and choose the connector group that includes the connector we just installed. Then, select Add Application Segment, and you’re all set!
Since this application will be allowing RDP to this server, I want to allow port 3889 for the FQDN name of the server.
Once we save the application and exit, we can see that the application now shows. You will need to allow access to your users and/or groups that need access to this application.
Controlling Access
Now that we’ve got our application set up, it’s time to think about access control. Using Conditional Access, we can fine-tune who gets in and how. Don’t worry we’ll dive into all the details in a future blog, along with installing the GSA client on a device for some hands-on testing. Stay tuned!
