Skip to main content

What is Microsoft Entra Private Access?

UPDATE 18.10.2024

What is Microsoft Entra Private Access?

My favorite features of the Entra Suite is Microsoft Entra Private Access, which is designed to provide secure, identity-centric access to private applications and resources. This solution is particularly focused on enhancing security for Zero Trust Network Access (ZTNA) by ensuring that access to private apps and resources is both secure and efficient. It integrates with Conditional Access policies, using identity, device, and application signals to assess risk in real-time as resources are accessed.

Key Features:

01. Zero Trust Network Access (ZTNA):

    • Identity-Centric Security: Access is granted based on the user’s identity, device state, and real-time risk assessment, aligning with Zero Trust principles.
    • Conditional Access Policies: Provides granular access controls through conditional access policies, ensuring that only authorized users can access private resources, including private apps within your corporate network or in the cloud.

02. Adaptive Access Controls:

    • Dynamic Access Management: Adapts access controls based on user behavior, location, device health, and risk level. This ensures that access decisions are always context-aware and security-focused.
    • Seamless User Experience: Provides a consistent and secure access experience for users, regardless of their location or device, by using adaptive authentication mechanisms.

03. Integration with Microsoft Entra ID:

    • Unified Management: Integrates with Microsoft Entra ID (formerly Azure AD) to provide a unified approach to identity and access management, simplifying administration and enhancing security for all private resources, including private applications.
    • Simplified Deployment: Leveraging existing infrastructure to deploy Entra Private Access without significant changes to current systems, facilitating easier adoption.

How it Works - detailed Scenario

01. Initial Setup and Deployment

      • Global Secure Access Agent: Each remote employee receives a globally secure access agent on their managed devices. This agent ensures the device meets security compliance standards before allowing access to the network.
      • Private Network Connector: A private network connector is installed within the company's local network. This connector handles traffic using outbound connections only, establishing a secure link between remote users and the private applications and resources.

02. Adaptive Security in Action

      • Real-Time Risk Assessment: As remote employees attempt to access private resources, Microsoft Entra Private Access evaluates their identity, device state, location, and other contextual factors. For instance, if an employee tries to log in from a new device or an unfamiliar location, the system flags this attempt as high-risk.
      • Conditional Access Policies: Based on the real-time risk assessment, conditional access policies are enforced. If a high-risk scenario is detected, the employee might be required to pass additional security checks, such as multi-factor authentication (MFA) or verification through biometric data. (If the conditional access policies are properly and accordingly configured.)
      • Dynamic Adjustments: Access permissions are dynamically adjusted according to the risk level. For example, if an employee's device is not compliant with the latest security patches, their access may be restricted to read-only until the device meets compliance standards.

03. Secure Access Without VPNs

      • Direct Secure Access: Employees can directly access on-premises applications and resources without using traditional VPNs. This reduces latency and improves performance, providing a seamless user experience.
      • Blocking Lateral Movement: By utilizing identity-centric policies, Microsoft Entra Private Access blocks lateral movement within the network. This means if an unauthorized access attempt is made, it is contained and does not spread to other parts of the network.

04. Operational Efficiency and Monitoring

      • Simplified Management: IT administrators at XYZ Company use the unified dashboard provided by Microsoft Entra to monitor access attempts and enforce policies. The integration with Microsoft Entra ID allows for seamless management of user identities and access controls.
      • Continuous Monitoring: The system continuously monitors for any suspicious activities and provides real-time alerts to administrators, allowing for swift response to potential security incidents

Pros

01. Zero Trust Security: Built on Zero Trust principles, Private Access verifies every user and enforces least-privilege access, giving users access only to the applications and resources they need, ensuring high-level security.

02. Seamless Transition from Application Proxy: Expands upon the capabilities of Entra ID Application Proxy, allowing an easy and disruption-free transition while still supporting all existing use cases.

03. Granular Conditional Access: You can create and enforce per-application, least-privilege access controls based on granular Conditional Access policies enriched with user, device, and location context. This also allows for session termination based on anomalies, such as “impossible travel.”

04. Universal Application Support: Enables secure access to any on-premises or cloud-based application across any port or protocol (RDP, SSH, SMB, FTP, etc.), including legacy applications using Kerberos or NTLM, without requiring changes to the applications themselves.

05. Faster Access Compared to VPNs: By leveraging Microsoft’s global network, Private Access provides faster and more secure access to private applications, especially benefiting hybrid or remote workers by reducing the reliance on traditional VPNs.

06. Quick Migration from Legacy VPNs: The Quick Access feature simplifies the migration from legacy VPNs, allowing fast configuration of broad private IP ranges and domain names for identity-centric, Zero-Trust access to private resources.

07. Enhanced Security for Legacy Applications: Integrates modern security controls, including Conditional Access and MFA, for legacy applications using old protocols like Kerberos and NTLM, enhancing the security of even older systems.

08. Automatic Application Discovery and Onboarding: Simplifies onboarding private applications—whether hosted on-premises or in the cloud—and allows grouping and policy assignment for enhanced control.

09. Granular Segmented Access: Unlike VPNs that grant access to entire networks, Private Access allows for granular segmented access to specific applications or groups based on user, device, or endpoint processes, minimizing the attack surface.

10. Intelligent Local Access: Ensures consistent security whether users are accessing applications remotely or on-premises. Local traffic remains within the corporate network, with policies like MFA still enforced.

Cons

01. If administrators set up web filtering to protect users and their organizations, a user can easily bypass this by pausing the client.

Microsoft knows about this issue. Since some businesses need to allow pausing the client, they kept this feature. Here’s how they plan to improve it:

  • Administrators will be able to prevent non-admin users from disabling the client, giving them control over this feature.
  • If administrators allow non-admin users to disable the client, users will need to re-authenticate and provide a business reason, which will be recorded in an audit event before they can disable it.

02. At the moment there's no way to automatically disable the client when a user brings their laptop into a corporate office and uses the local LAN. Traffic still goes through Microsoft's backbone, but it could be faster using on-premises infrastructure. There is no logic to detect this situation, and administrators don’t have the option to set it.

03. There is no MSI version of the Global Access Client to make it easier to roll out through Windows Autopilot. But it is possible to Use Intune to deploy GSA client Post Windows Autopilot provisioning. It is on their roadmap to provide MSI.

Insights

If you're planning to publish an entire CIDR range, make sure to exclude Port 53. Since Port 53 handles DNS, tunneling all DNS requests could result in losing internet access. Instead of covering the entire range, specify Ports 0 to 52 and 54 to 65,535. 

This is an important issue for those of you using hybrid-joined devices. There’s a bug in Windows that you should be aware of, especially if you have a Group Policy Object (GPO) that pushes specific registry keys. This bug could impact you.

The problem is that if these registry keys are populated—even if they’re empty—Windows will ignore the NRPT (Name Resolution Policy Table). The NRPT is crucial for how private DNS works. Microsoft adds entries to the NRPT to direct DNS queries for specific domains to designated DNS servers, ensuring private DNS functions properly.

If this bug occurs, Kerberos Single Sign-On and private DNS-related functionality may stop working. If you suspect DNS issues, check these keys, find the Group Policy responsible for adding these keys and remove it. For a permanent solution, Microsoft will need to address this bug.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DnsPolicyConfig
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\DNSClient\DnsPolicyConfig

Back to all blogs

Featured blogs

10.08.2023

Unleash the power of Sentinel - SOAR

In this blog we will dig into the capabilities of automation using Sentinel referred to as SOAR. SOAR (Security Orchestration, Automation, and Response) platforms are designed to streamline and enhance security operations by automating and orchestrating various tasks and processes.

Read More