Microsoft Entra Private Access: secure access to internal resources and cloud services without VPN

Microsoft Entra Private Access gives users secure access to the internal network and cloud-based services from anywhere in the world. Setting up and maintaining (complex) VPN connections is now a thing of the past. Microsoft Entra Private Access is part of Microsoft Global Secure Access, which includes a range of identity and network access security products. The service is based on the SASE framework (Secure Access Service Edge), which combines WAN functions and zero-trust network access (ZTNA) in a cloud-based platform.

This blog post shows the configuration steps for Microsoft Entra Private Access for using local resources such as Remote Desktop Services (RDS) or SMB file sharing.

Microsoft Entra Private Access is in the preview phase at the time of writing. This article will be updated continuously.

Prerequisites and Licensing

Licences

During the preview phase, a Microsoft Entra ID P1 licence is required. At the time of writing, it is not yet known which licences, plans or add-ons will be necessary once Microsoft Entra Private Access is globally available.

Roles

Setting up and managing Microsoft Entra Private Access requires the Global Secure Access Administrator role.

Registering the Application Proxy Connector requires the Application Administrator role.

Devices

The following requirements apply to the devices:

• Operating system Windows 10 or Windows 11
  Early access available for iOS and MacOS as a private preview, Android is planned.
• Devices must be either Microsoft Entra joined or Microsoft Entra hybrid joined
  Microsoft Entra registered devices aren’t supported
  

Onboard Microsoft Entra Private Access

Enable Microsoft Entra Private Access

Microsoft Entra Private Access is activated in the traffic forwarding.

Enable Private access profile under Global Secure Access > Connect > Traffic forwarding

Installation Application Proxy Connector

Microsoft Entra Private Access requires an Application Proxy Connector on a local Windows server to establish secure connection from the internal network to Microsoft Entra.
Download Application Proxy Connector Global Secure Access > Connect > Connectors > Download connector service > Accept terms & Download.

Copy the downloaded file AADApplicationProxyConnectorInstaller.exe to the Windows Server 2016 or higher. The Application Proxy Connector must be installed on a server which has access to all internal applications which should be published.

Start installation with Install

The installation is in progresss.

To register the Application Proxy Connector, you must sign in with an account that has the Application Administrator role assigned.

The Application Connector Proxy is installed.

The secure connection between the internal network and Microsoft Azure is now set up and established with status Active.

Configuration Quick Access

Quick Access provides secure access to internal resources.
This blog post looks at the configuration for accessing Remote Desktop Services (RDS) and SMB file sharing in a local Active Directory domain.

Application settings

An enterprise application is created for Quick Access.
This is configured in two steps.

1. Enter the application name, e.g. int.cloudcoffee.ch
2. Select the connector group to which the Application Connector Proxy will have access to the resources.
3. Click Save
4. Open Enterprise Application with Edit application settings

The application settings are made using the familiar setting options of an enterprise application.
The following configuration settings should be mentioned here:

1. Users and groups
   Define users and groups who will have access to this enterprise application.
2. Conditional Access
   Quick Access supports Microsoft Entra Conditional Access as an enterprise application.
   

Remote Desktop Services (RDS)

Access to Remote Desktop Services (RDS), e.g. to Remote Desktop Session Collections, requires a working FQDN query. The configuration for this is done in Quick Access.

Global Secure Access > Applications > Quick Access

1. Click Add Quick Access application segment anklicken
2. Chose Destination type Fully qualified domain name
3. Enter FQDN of the target server, e.g. a Microsoft Remote Desktop Connection Broker.
4. Enter port 3389 (Remote Desktop Protocol) and 443 (HTTPS)
   Multiple ports entered comma separated
5. Click Apply
6. Click Save

The configuration for accessing the Remote Desktop Services (RDS) is done.

SMB file sharing

Connections to SMB file shares are made using the Fully qualified domain name (FQDN) of the file server. Configuration is done in Quick Access.

Global Secure Access > Applications > Quick Access

1. Click Add Quick Access application segment
2. Chose Destination type Fully qualified domain name
3. Enter FQDN of the file server
4. Enter port 445 (Server Message Block)
5. Click Apply
6. Click Save

The configuration for accessing SMB file shares are done.

Onboard Client

Client for Windows 10 / Windows 11

Download client software

Download client software for Windows 10 or Windows 11
Global Secure Access > Devices > Clients > Download client

Deploying client software by using Microsoft Intune

The downloaded GlobalSecureAccessClient.exe file must be converted to *.IntuneWin format. Instructions to do this can be found here: Deploying .exe Applications with Microsoft Endpoint Manager | Practical365

Sign-In to the Microsoft Intune admin center (https://endpoint.microsoft.com)

Apps > Windows > Add öffnen

Selebt App Type Windows app (Win32)

Upload *.IntuneWin file (GlobalSecureAccessClient.intunewin) created in advance. Fill in further details about the application according to your own guidelines.

Check settings and create app by clicking Create.

The GlobalSecureAccessClient app is ready for rollout.

Installation client software manually

Start the installation of the downloaded file GlobalSecureAccessClient.exe with a double click.

Click Install

Installation in progress.

The installation is successfully completed.

Sign-In to Global Secure Access

Global Secure Access starts automatically after sign-in in to the device (1) and launches the sing-in screen (2).

Successful signin to Global Secure Access is indicated by a green check mark in the taskbar.

Client for Android

A client is planned for Android, but is not yet available.

Client for iOS

A private preview client is available for iOS.
Early access to the client can be requested using the following link: iOS Client (Privat Preview).

Client for MacOS

A private preview client is available for MacOS.
Early access to the client can be requested using the following link: MacOS Client (Privat Preview).

Operational check

In the examples below, the domain int.cloudcoffee.ch is used. This domain is private and cannot be accessed from public.

Nslookup

The FQDN query of the server cclvsrlb001.int.cloudcoffee.ch is resolved with the IP address 6.6.0.3. This IP address is part of the Entra Private Access IP range. The data traffic is routed via Global Secure Access to the server in the internal network.

Remote Desktop Services (RDS)

Remote Desktop Services can be accessed as usual from the internal network. It does not require any changes to the connection information.
Example:
Microsoft Remote Desktop Web Access (https://cclvsrlb001.int.cloudcoffee.ch/rdweb)

Remote desktop connections (mstsc.exe)

SMB file share

SMB file shares are connected via the UNC path, e.g. \\cclvsrdc001.int.cloudcoffee.ch\Daten

Troubleshooting

Entra Portal

The log and diagnostic options for Global Secure Access in the Microsoft Entra portal are still poor in the preview. The service is in the preview phase and the diagnostic capabilities are constantly being expanded and improved.

Traffic logs

It takes up to 15 minutes until the data traffic is displayed. Sometimes there are also access errors and the log can be displayed again later.

Global Secure Access > Monitor > Traffic logs

Devices

Various diagnostic tools for troubleshooting are already available on the device in the preview version.

Collect Logs

In Collect Logs various logs about traffic logs, audit logs and network traffic are collected.

Client Checker

The Client Checker runs a script and checks all components that are necessary for a functional client.

Connection Diagnostics

Connection Diagnostics displays in real time the connection status between the device and Global Secure Access for all relevant services (Flows, Hostname Acquisition, Services and Channels).

Good to know

Application Proxy Connector

Unused Application Proxy Connectors are marked as inactive and removed from Microsoft Global Secure Access after 10 days of inactivity. However, the Application Proxy Connector is not automatically removed from the Windows Server.

Follow me on LinkedIn and get informed about my latest posts.

• LinkedIn