Implementing Microsoft Private Access -- A Technical Guide

I previously discussed the Global Secure Access (GSA) : The future of secure corporate Internet browsing --- A Technical Guide ,Now, I will present the Step-by-Step Guide for Implementing Global Secure Access (Private Access) in Microsoft Entra ID.

I - What is Global Secure Access ?

Microsoft Private Access is an advanced security solution from Microsoft Entra that dramatically improves the way users access private applications and resources within an organization. The main aim is to replace traditional virtual private networks (VPNs) with a more modern, more secure and easier-to-manage solution.

II - Key features of Microsoft Private Access :

• Zero Trust Access : MPA is part of the Zero Trust security model, where no user or device is automatically approved. Each access request is authenticated and authorized according to several criteria, including the user's identity, the device used, and the context of the request.
• Granular network segmentation : Enables the network to be segmented to limit user and device access to only those resources they need to perform their tasks. This reduces the attack surface by isolating different parts of the network.
• Policy-based access control : Administrators can define access policies based on various parameters, such as geographical location, device type, time of request, and more. These policies enable precise control over who can access what, and under what conditions.
• Integration with Microsoft 365 and Azure : MPA natively integrates with other Microsoft products, such as Microsoft 365 and Azure, making it easy to manage and implement security across the entire Microsoft infrastructure.
• Threat Monitoring and Analysis : MPA includes advanced monitoring and analysis tools to detect suspicious behavior and respond rapidly to security incidents. This includes integration with Microsoft Sentinel, a security information and event management (SIEM) solution.
• Optimized user experience : While security is a priority, MPA is designed to minimize friction for end-users, delivering a seamless experience while ensuring robust resource protection.

In short, Microsoft Private Access is a key component of Microsoft's Zero Trust security strategy, offering enhanced protection against modern threats while facilitating flexible, secure access to corporate resources.

III - Prerequisites for Microsoft Private Access :

• Azure subscription
• Entra ID tenant with P1 licences (provided from Business Premium licences and above)
• Global Secure Access Administrator role or Global Administrator role.
• Microsoft Azure joined device.

IV - Mindmap to setup Microsoft Private Access :

here is mindmap to implement GSA Private Access :

V - Start Microsoft Private Access Configuration :

if you have followed my previous article "Global Secure Access (GSA) : The future of secure corporate Internet browsing --- A Technical Guide" , Global Secure Access will be enabled but you just need to enable Private Access Profile.

Step 1 : Activate and configure Global Secure Access in your tenant :

• Log in to the Microsoft Entra portal (https://entra.microsoft.com/)
• Goto "Global Secure Access" from the left menu bar
• Select "Get started"
• Select "Activate" to Activate Global Secure Access in your tenant (This step is critical to activating GSA’s features and capabilities within your environment)

Second Feature that we need to enable is Access signaling in conditional access.

Adaptive access settings allow admins to enable features used by Microsoft Entra Conditional Access and Microsoft Entra Identity Protection.

After enabling Global Secure Access and Access signaling in conditional access :

1. Return to "Global Secure Access" menu
2. Expand "Connect" from the left menu bar then "Traffic forwarding"
3. Enable "Private Access Profile"

• You will be asked to confirm enabling, select "OK" :

• Here is Private Access Profile enabled.

1. Select Assign users and groups
2. select "Assign to all users" option :

• After assignement :

Now that we have Enabled and configured Global Secure Access, we can move to the next phase : Installing Application Proxy Connector.

Step 2 : Downloading and Installing Application Proxy Connector

To install connector, I'll use an Azure VM :

For Microsoft Entra ID Private Access, install an Application Proxy Connector on a local/Cloud Windows server (I'll use my azure cloud server):

Download Connector from :

1. Select "Global Secure Access"
2. Select "Connect" then "Connectors"
3. Select "Download Connector service"
4. Select "Accept terms & download" to proceed with connector download

• Copy the setup in your server and start setup :
• Select "I Agree..." and click "Install"

• After setup finishing, Authenticate with Microsoft 365 admin account :

• Select close to close setup window.

• If you go back to the Azure connector center, the new connector we've just installed will appear.
• Check that the status is activated

Now that we've finished installing the connector, let's move on to the enterprise application creation stage.

Step 3 : Create Entreprise Application and publish ports

Before starting Create Entreprise Application, let's take server local IP address , because we gonna use it in the following configuration steps.

As you can see here, my local IP address is : 10.0.0.4

Now let's move to Entreprise Application creation :

• Navigate to Global Secure Access in the Microsoft Entra ID blade.
• Expand “Applications” and click on “Enterprise applications.”
• Then click “New application” to start the configuration.

• Provide an explicit name for the RDP-SMB-Server.
• Select the appropriate connector group for the RDP-SMB-Server.
• Ensure that “Enable access with Global Secure Access client” is enabled, then add the application segment.

In the “Create application segment” fly-out pane, specify the Destination type, its corresponding values, and the ports you wish to grant access to.

The available options for the destination type field include:

• IP Address : Represents the internal IP Address of the resources (10.0.0.4 in my case).
• Fully Qualified Domain Name : Represents the resources’ internal FQDN.
• IP Address Range (CIDR) : Represents the internal IP Address range of the resources in CIDR format using a network mask.
• IP Address Range (IP) : This represents the internal IP Address range of the resources in IP format, using a starting and ending IP address.

Once you have configured all the fields accordingly, click “Apply” to save the application segment.

I have created two Ports with same address (you can add "," in port section and create them in a single line) :

• 3389 for RDP
• 445 for SMB

Now that we have created Entreprise Application, we can move to the next phase : specify which users or groups should have access to the Enterprise Application.

Step 4 : specify which users or groups should have access to the Enterprise Application

We must now specify which users or groups should have access to the Enterprise Application.

To do this :

• go back to "Entreprise Application" then open your recent app

• go to the “Users and groups” tab and click “Add user/group“.

• Select your Group (I have already create azure groupe for private access)

• Select Assign

• Here, access has been granted to "Private Access Group".

Now that we have specify which users or groups should have access to the Enterprise Application, we can move to the next phase : Create Conditional Access Policy for Private Access.

Step 5 : Create Conditional Access Policy for Private Access

in this part, I will apply a “Conditional Access Policy” with the basic values (you can adjust this rule by adding locatlions, device types and Compliance...etc, according to yourcompany needs).

To do this :

1. Go to Microsoft Entra admin center then select "Protection"
2. Select "Conditional Access"
3. Select "Policies" from right menu bar
4. Click "New Policy" to proceed with new policy creation

• Give a name to your policy
• Select Users (Here I will use the same group in the Entreprise Application)

• Go to Target section
• Select Cloud apps from listbox
• Select your app (GlobalITnow-RDP-SMB) from App list as in following screenshot

1. In Grant section select "Grant Access"
2. then select Require MFA
3. Then Click "Select"
4. Select "On" to enable Policy
5. Select "Create" to Create Policy

• Here is the new created Policy

Now, let's move to next step Download and install Windows Client on user machine.

step 6 : Download and install Windows Client on user machine

I have already make this steps on my first article of "Internet Access", so if you have already installed the client app so no need to install it again.

In the Microsoft Entra portal :

• Navigate to Global Secure Access
• Expand "Connect" and select “Client download“.
• On the Client download page, expand “Windows 10/11” section and click "Download Client"

• here is agent file to copy to end user machine.

• Let's connect and proceed with agent installation on Entra id joined machine.

• double click on the setup file
• select "I agree..."
• Click "Install" buton

After finishing program setup :

• Click "Close"

After Installing client agent in my VM, I should see Office 365 authentication window , but here in my case, my machine is already joined to Intune, so no need to re-authenticate again, that's way I can't see it, but you can see it in your side, just authenticate with your office 365 user account.

• Just look at the Quick Access tray to double-check if the installation was successful. If you see the client icon there and it’s running, the installation worked.

• Verify that the client has successfully connected to the Global Secure Access client by checking the overview interface.

• Consider opening the Global Secure Access Client and navigating the Health check screen. Confirm that "Tunneling succeeded Private Access" is displayed as "Yes"

Step 7 : Test Connection to server

We'll start by testing the RDP connection on the 10.0.0.4 server we added from the beginning.

• we are successfully connected to server.

Now, let's try SMB connexion.

I have created Shared folder on the server, let's try to connect :

• We are successfully connected to server

You must check every opened port on the server before trying remote connection.

Conclusion :

Microsoft Private Access is a powerful and flexible solution for improving the security and simplicity of access to private resources. If you're looking to modernize your access infrastructure, Microsoft Private Access is a solution you should seriously consider.

Thanks

Aymen EL JAZIRI

System Aministrator