Microsoft Entra Private Access: Secure Access to Internal Resources and Cloud Services without VPN
Last Updated on 14. February 2026
Microsoft Entra Private Access enables identity-based access to private enterprise applications and resources located on premises and in the cloud, without relying on traditional VPN connections. Access control is provided by Microsoft Entra ID, which enforces Zero Trust principles based on contextual signals.
As a component of Microsoft Entra Global Secure Access, the service delivers location independent network access. Microsoft Entra ID evaluates identity, device status and applicable policies to determine access.
This article describes how to configure Microsoft Entra Private Access, starting with service activation and Quick Access configuration through to the installation of the Global Secure Access client. Validation of the setup is performed using name resolution and a Remote Desktop connection to an internal resource.
Prerequisites and Licensing
Licensing
For Microsoft Entra Private Access, one of the following licenses is required per user:
- Microsoft Entra Suite
- Microsoft Entra Private Access
Detailed information on the available plans and pricing can be found in the official Microsoft documentation: Microsoft Entra Plans and Pricing | Microsoft Security
Roles
For Microsoft Entra Private Access, the following roles are appropriate when applying the principle of least privilege:
| Role | Permission |
| Global Secure Access Administrator | Set up and manage Global Secure Access |
| Conditional Access Administrator | Configure and manage Microsoft Entra Conditional Access policies |
| Application Administrator | Create and configure Enterprise applications and Quick Access and register the Private Network Connectors |
Devices
The following device requirements apply:
- Windows 10, Windows 11 and Windows on Arm: The device must be Microsoft Entra joined or Microsoft Entra hybrid joined.
Microsoft Entra registered devices are supported in Public Preview, see: Microsoft Entra Private Access: Secure Access to Internal Resources and Cloud Services without VPN – cloudcoffee.ch - macOS: macOS 13 or later. The device must be registered in Microsoft Entra via the Company Portal and the Microsoft Enterprise SSO plug-in is required.
- Android: Android 10 or later. Android Go is not supported.
- iOS iPadOS: Available in preview, iOS 15.0 or later.
Set up Microsoft Entra Private Access
Enabling Microsoft Entra Private Access
Microsoft Entra Private Access is enabled via Traffic forwarding in the Microsoft Entra admin center (https://entra.microsoft.com).
Under Global Secure Access > Connect > Traffic forwarding, enable the Private access traffic profile.
Assign users and groups.
All users (1), individual users, or groups (2) can be selected. The action requires the role of Global Secure Access Administrator and Application Administrator simultaneously.
Installing the Private Network Connector
Microsoft Entra Private Access requires the installation of the Private Network Connector on a local Windows Server. The connector establishes an outbound connection from the internal network to Microsoft Entra and enables access to private resources.
The Private Network Connector is downloaded from the Microsoft Entra admin center (https://entra.microsoft.com) under Global Secure Access > Connect > Connectors and sensors > Private Network Connectors > Download connector service. After accepting the terms of service, the Private Network Connector is downloaded.
The downloaded installation file MicrosoftEntraPrivateNetworkConnectorInstaller.exe is copied to a Windows Server running Windows Server 2016 or later and then installed. Microsoft Entra Private Access requires the Private Network Connector to be installed on a server that has network access to the internal target resources.
Start the installation by selecting Install.
The installation is in progress.
To register the Private Network Connector, an account with the Microsoft Entra Application Administrator role is required.
The Private Network Connector is installed and a server restart is required.
The Private Network Connector establishes the outbound connection to Microsoft Entra Global Secure Access and shows the status Active in the Microsoft Entra admin center.
Configuring Quick Access
Quick Access defines the target resources that are exposed through Microsoft Entra Private Access. Fully qualified domain names (FQDNs) or IP address ranges combined with port definitions determine which traffic is routed through Microsoft Entra Private Access.
This section describes the configuration of Quick Access for accessing a Remote Desktop Session Host (RDSH).
Quick Access for Remote Desktop Session Host (RDSH)
In the Microsoft Entra admin center (https://entra.microsoft.com), navigate to Global Secure Access > Applications and open Quick Access.
- Assign a Name for Quick Access, for example int.cloudcoffee.ch
- Select the Connector Group through which the Private Network Connector has access to the target resources
- Select Save
The next step is to configure the application segments. The following configuration describes access to a Remote Desktop Session Host using a fully qualified domain name.
The application segment is created under Application segments > Add Quick Access application segment.
- Select Fully qualified domain name as the target type
- Enter the fully qualified domain name (FQDN), for example cclvsrts001.int.cloudcoffee.ch
- Specify Port 3389 (RDP)
- Select TCP as the Protocol
Save the configuration by selecting Apply.
The configuration is applied by selecting Save.
Under Users and groups, Microsoft Entra users or groups are assigned access to the configured application segments.
Optionally, a Microsoft Entra Conditional Access policy can be configured for Quick Access to further enhance security.
Quick Access for a Remote Desktop Session Host (RDSH) is now configured. Additional services, such as SMB file shares, can be configured using the same approach.
Tip
Quick Access assignments are global. All users and groups assigned to Quick Access have access to all configured application segments.
For granular user assignment to individual applications, enterprise applications are used. They support application-specific Microsoft Entra Conditional Access policies and follow the same configuration model as Quick Access.
Installing the Global Secure Access Client
The client software for Windows 10 and Windows 11 is downloaded from the Microsoft Entra admin center (https://entra.microsoft.com) under Global Secure Access > Connect > Client Download.
The installation of the downloaded file GlobalSecureAccessClient.exe is started by double-clicking it.
The installation starts.
The installation is complete.
The Global Secure Access Client starts automatically after the user signs in to the device (1) and establishes the connection for the user (2).
Validation
The following examples validate name resolution (FQDN) and the Remote Desktop connection (RDP) for cclvsrts001.int.cloudcoffee.ch. The server is a member of the Active Directory domain int.cloudcoffee.ch and is accessible only from the internal network. Access is performed from a client located outside the int.cloudcoffee.ch network.
Name Resolution (FQDN, nslookup)
Name resolution for cclvsrts001.int.cloudcoffee.ch returns the IP address 6.6.0.71. This address is part of the Microsoft Entra Private Access IP address range 6.6.0.0/16.
|
1 |
nslookup cclvsrts001.int.cloudcoffee.ch |
Remote Desktop Session Host (RDSH)
Access to the Remote Desktop Session Host is established via the FQDN cclvsrts001.int.cloudcoffee.ch using mstsc.exe (Remote Desktop Connection).
Troubleshooting
The logging and diagnostic capabilities of Global Secure Access are described in the article Microsoft Entra Internet Access: Protect users with powerful web content filtering – cloudcoffee.ch.
Good to Know
Private Network Connector
Private Network Connectors that do not establish an active connection to Microsoft Entra Global Secure Access for a period of 10 days are shown as inactive and are automatically removed. The local connector installation on the Windows Server remains in place and is not automatically uninstalled.
Conclusion
Microsoft Entra Private Access demonstrates that secure access to internal resources can be implemented without relying on a traditional VPN. Identity, device status and context based policies are consistently integrated into the access path in accordance with the Zero Trust model, without introducing additional network complexity. This makes Microsoft Entra Private Access a viable alternative to VPN based architectures, particularly for hybrid and modern work scenarios.
Fresh content, explained with practical relevance. Stay up to date via LinkedIn and Bluesky.
No marketing. No noise. Just content.
If this post was helpful, a coffee brings back the rich aroma behind the writing.
