Microsoft Entra Private Access: Secure Access for External Users to Internal Resources
Connecting external users to internal resources has traditionally been implemented using VPN. While this approach provides network connectivity, it does not consistently align with Zero Trust principles. With the external user access capability in Microsoft Entra Global Secure Access, external identities can now be integrated into existing Microsoft Entra Private Access configurations. Microsoft Entra Private Access External Users authenticate with their own identity and device and intentionally switch to the resource tenant within the Global Secure Access Client. During this tenant switch, a Private Access tunnel is established that restricts connectivity exclusively to explicitly published internal applications.
At the time of writing, support for Microsoft Entra Private Access External Users is in Public Preview. This article outlines the prerequisites and configuration steps required to enable secure access to internal resources for external users using Microsoft Entra Private Access.
Prerequisites and Licensing
External Users in the Resource Tenant
External users who require access to internal resources through Microsoft Entra Private Access must be present in the Resource Tenant as guest user objects and configured accordingly. A detailed step-by-step guide is available in the following Microsoft Learn article: Quickstart: Add a guest user and send an invitation – Microsoft Entra External ID | Microsoft Learn
Microsoft Entra Private Access Enabled in the Resource Tenant
Microsoft Entra Private Access must be enabled in the Resource Tenant and configured to publish at least one internal application. A complete step-by-step guide is available at the following link: Microsoft Entra Private Access: Secure Access to Internal Resources and Cloud Services without VPN – cloudcoffee.ch
Global Secure Access Client Installed on the Guest Device
The Global Secure Access Client must be installed on the external user’s device. The latest version is available for download in the Microsoft Entra admin center (https://entra.microsoft.com) under Global Secure Access > Connect > Client download.
In addition to installing the Global Secure Access Client, the external user access capability must be enabled on the client device using the following registry key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Global Secure Access Client]
"GuestAccessEnabled"=dword:00000001
Licenses
Home Tenant
No Microsoft Entra Private Access license is required in the external user’s Home Tenant. The only requirement is that the tenant has Microsoft Entra ID Free or a higher edition. Microsoft Entra ID Free is included by default in every tenant.
Resource Tenant
External users do not need to be assigned a Microsoft Entra Private Access license in the Resource Tenant. The key requirement is that Microsoft Entra Private Access is already licensed in the Resource Tenant and configured for internal users.
Accordingly, no separate Microsoft Entra Private Access license is required for the external user in either the Home Tenant or the Resource Tenant.
Roles
To grant external users access to internal resources through Microsoft Entra Private Access, the following role is appropriate in the Resource Tenant, following the principle of least privilege:
| Role | Permission |
| Global Secure Access Administrator | Manage Global Secure Access |
Assign External Users to an Internal Resource
To enable an external user to access an internal resource, the corresponding resource must be assigned in the Resource Tenant. The assignment is performed in the Microsoft Entra admin center (https://entra.microsoft.com) under Global Secure Access > Applications > Enterprise applications, where the internal resource is selected.
Select Users and groups > Add user/group, then add the external user. Alternatively, the assignment can be performed through a Microsoft Entra group.
External User Access to an Internal Resource
To access an internal resource, the external user must switch tenants within the Global Secure Access Client.
Open the Global Secure Access Client (1), select the user profile (2) and all tenants where the user exists as a guest will be displayed. Select the Resource Tenant (3).
After a short moment, the connection to the selected tenant (1) is established and Microsoft Entra Private Access (2) is shown as connected.
In the Advanced Diagnostics section of the Global Secure Access Client, the applied Microsoft Entra Private Access rules are displayed.
Good to Know
Tunnel Behavior During Tenant Switch
When switching to the Resource Tenant, existing Internet Access, Microsoft 365 and Microsoft Entra tunnels connected to the Home Tenant are not retained.
Existing Sessions Remain Active
When switching tenants, existing active sessions to applications in the previous tenant remain active, for example RDP connections. However, if such a connection is disconnected or restarted, it cannot be re-established in the previous tenant.
Client Restart Required for Configuration Changes
Changes to tenant assignments or to the Private Access profile only take effect after the Global Secure Access Client has been restarted.
Conclusion
Support for Microsoft Entra Private Access External Users extends the existing Private Access configuration in the Resource Tenant with a dedicated access path for B2B guest scenarios. Access is established through the Global Secure Access Client by switching to the Resource Tenant and is strictly limited to published internal resources. This enables controlled external access without relying on a traditional VPN.
Fresh content, explained with practical relevance. Stay up to date via LinkedIn and Bluesky.
No marketing. No noise. Just content.
If this post was helpful, a coffee brings back the rich aroma behind the writing.
