RDP Private Resources using Microsoft Entra Private Access - Quick Access

Microsoft Entra Private Access gives the Entra admins the ability to manage the access to the fully qualified domain names and IP addresses considered private or internal.

Private Access provides two ways to configure the private resources that Entra admins want to tunnel with the Edge of Microsoft Entra. First option is to use Quick Access where you can define a group of FQDNs and IP addresses that Entra admins want to secure or the second option which is the Global Secure Access app for per-app access that allow Entra admins to specify a subset of private resources with a granular approach.

In this blog post, I will focus on the Quick Access capability that provide a quick and straightforward easy way to access internal resources with an easy-one time configuration.

Ready? Let's Go!!!!

Prerequisites

To configure Quick Access, the below is required:

• The Global Secure Access Administrator and Application Administrator roles in Microsoft Entra ID
• The preview requires a Microsoft Entra ID P1 license.

Admin privileges to Insall Application Proxy Connector agent on the on-premises hosted server.

Application Proxy Connector

The first step is to download and install the Application Proxy connector agent to enable a secure communication between the resources inside the network and the application proxy.

Download the connector installation by navigating to the Connectors blade within the Global Secure Access portal and click on Download connector service.

Copy the agent installation file to the server hosted on-premises that will act as the application proxy connector.

Launch the installation file and click on Install.

Once the installation is complete, Sign in using your Entra credentials with Global Secure Access Administrator role.

The installation is now successful. you can verify the service of the connector by checking the services.msc on the server.

Navigate to the Entra Global Secure Access portal and click on Connect and choose Connectors blade to verify to connector details.

In my Case, I have a testing server that I am using as the application proxy connector called "ampiOSQL01" where I installed the application proxy connector agent.

I will be using the Default Connector Group for testing purposes; therefore, my application proxy connector is under the default Connector Group.

Configure Quick Access

The second step is to configure the Quick Access settings where I will define the IP Address that I want to access through RDP using the Global Secure Private Access.

Navigate to the Global Secure Access portal, choose the Applications Blade and click on Quick Access.

Enter a name, in my case I will name it "RDP to ampiO" and choose the Connector Group "Default" that we linked our application proxy connector to it in the previous step.

Next is to add the Quick Access application segment where I will define the IP address and the port that I want to access and that will be included in the Microsoft Entra Private Access traffic.

Within the same Quick Access blade click on Add Quick Access application segment

In my case, I have an on-premises windows 10 machine (192.168.2.46) that I will be accessing from outside the network using the Entra Private Access capability through 3389 RDP port as below.

Click on Apply.

and Save. The Quick Access configuration is now completed.

Assign Users and Group

As we completed the Quick Access Configuration in the previous section, a new Enterprise Application will be created on my behalf. Therefore, we need to grant access to the Quick Access app by adding users and/or group to the app.

From with the Quick Access Blade, click on the edit application settings.

The Enterprise Application blade will open, and you will notice the name is similar to the defined in the name of the Quick Access configuration.

Navigate to the Users and Group blade and add the user that will be used to access the private resources through RDP. In my case, I will add my user for testing.

Enable Microsoft Entra Private Access

So, I installed the application proxy connector agent on our on-premises server, I configured the Quick Access, I added our private internal IP address that we want to access remotely, and I added our user that will be accessing this internal IP address. The last step is to enable the Private access profile from the Traffic forwarding blade.

Note: You can enable the profile before configuring the Quick Access

From the Global Secure Access, navigate to Connect and choose Traffic forwarding. Check the private access profile checkbox.

That's it, Private Profile enabled.

Note: You can apply conditional access policies for the private access profile if needed.

Let's Test!!!

Testing Simulation

First step is to install Global Secure Access client on a windows 10 machine outside your internal network with the below requirements.

• The device must be Azure AD joined or Hybrid Azure AD joined to a tenant that has onboarded to Global Secure Access.
• Internet connection to Azure AD and the Global Secure Access service.
• Local administrator permissions during the installation.

Download the agent from the Global Secure Access portal.

Run the installation file and sign in with your credentials to connect the agent to the Entra SSE Edge that will be used to access the private resources through RDP.

Verify the connectivity of the agent by right clicking on the agent icon and click on Client Checker.

Verify the Yes status next to the "Magic IP received for Fqdn private.edgediagnostic.globalsecureaccess.microsoft.com" and next to the "Private tunneling success."

Open a remote desktop connection on that machine and connect to the remote IP address you defined in the Quick Access Config and click Connect and then Yes.

Bingo!!! We are connected to the private IP address from the device where we installed the Global Secure Access client.

Checking the traffic logs from the Global Secure Access portal by navigating to the Traffic logs blade and filtering the destination IP that we accessed remotely "192.168.2.46"

Clicking on one of the logs to check the Activity Details, we can notice the destination IP and ports accessed using the private traffic type using [email protected] user.

Conclusion

Quick Access in Microsoft Entra Private Access it's a great capability that gives Entra admins the ability to connect to private apps and private networks without requiring a VPN and with more granular security than a VPN solution.