Summary of Deep Dive on Microsoft Entra Private Access

Summary of "Deep Dive on Microsoft Entra Private Access"

This video provides an in-depth exploration of Microsoft Entra Private Access (EPA), focusing on its role in secure, zero trust network access for non-web applications and how it integrates with Microsoft Entra’s identity and conditional access ecosystem.

---

Key Technological Concepts and Features

1. Identity as Perimeter & Entra Ecosystem
   • Entra serves as the central identity and access control platform for various applications (Microsoft 365, Azure, Dynamics, third-party SaaS).
   • Supports federation via OpenID Connect, OAuth, and SAML for cloud apps.
   • For on-premises web apps, Entra App Proxy enables secure pre-authentication and conditional access.
2. Challenges with Traditional VPNs and Network Access
   • Traditional VPNs provide broad network-level access (tunnel), which conflicts with zero trust principles (least privilege, assume breach).
   • VPNs give free reign to the network once connected, increasing risk if a device is compromised.
3. Zero Trust Network Access (ZTNA) via Secure Access Service Edge (SASE)
   • Microsoft Entra Private Access is part of the SASE model providing secure, granular, conditional access to private TCP/UDP applications (RDP, SSH, SMB, FTP, printers, UDP streaming, etc.).
   • Eliminates broad network tunnels; all access is validated explicitly per request with conditional access policies.
   • Uses a global network of over 170 Microsoft Edge sites and 70 Azure regions for high performance and low latency.
4. Global Secure Access (GSA) Client
   • A single, unified client installed on endpoints to handle both Entra Internet Access and Private Access.
   • Establishes secure gRPC/HTTP2 tunnels to the Entra Edge service (not directly to internal networks).
   • Enforces conditional access policies on every connection attempt (user/device health, MFA, risk level, etc.).
   • Supports Windows, macOS, iOS, Android, and can be deployed via standard enterprise management tools.
5. Connectors in Private Network
   • Connectors replace traditional App Proxy agents, deployed on Windows Server machines inside private networks.
   • They establish outbound connections to Entra Edge, enabling secure connectivity to internal resources.
   • Support both web and non-web applications and allow grouping for load balancing and prioritization.
6. Application Segmentation and Granular Access Control
   • Applications are defined as Enterprise Applications in Entra with specific IP ranges, FQDNs, ports, and protocols (TCP/UDP).
   • No overlapping IP ranges allowed to avoid conflicts.
   • Conditional access policies are applied per application, enabling fine-grained control over who can access what, under what conditions.
7. Quick Access Configuration
   • Provides a more general access configuration for common protocols/ports (e.g., RDP, SMB, SSH) without defining each app individually.
   • Still appears as an Enterprise Application and supports conditional access policies.
8. DNS Handling and Private DNS
   • The GSA client supports private DNS resolution for internal domains without requiring the client itself to resolve DNS.
   • Connectors handle DNS queries to internal DNS servers.
   • Uses a special DNS suffix based on the application ID (GUID) appended to queries to route DNS requests through the Entra Edge and connector infrastructure.
   • Includes a DNS caching service at the Entra Edge to reduce load on Connectors and internal DNS, improving performance for multiple users in the same geographic region.
   • Supports single-label and fully qualified domain names transparently for end users.
9. Monitoring and Diagnostics
   • The GSA client includes an advanced diagnostics UI showing client version, tunneling status, tokens, forwarding profiles, and traffic logs.
   • Admins can monitor private access traffic, connection details, and enforce policies through the Entra portal.
10. User Experience and Security Benefits
    • Users get seamless access to private TCP/UDP apps with strong security enforced transparently.
    • Conditional access ensures strong authentication, device health checks, and risk-based policies on every connection.
    • Eliminates broad network tunnels, reducing attack surface and risk of lateral movement.
    • DNS caching and edge presence enhance performance and reduce infrastructure load.

---

Guides and Tutorials Highlighted

• Installing and configuring the Global Secure Access client on endpoints.
• Deploying and managing Connectors inside private networks for both web and non-web apps.
• Defining Enterprise Applications with specific IP ranges, ports, and protocols for private access.
• Creating and applying conditional access policies targeting these Enterprise Applications.
• Using the Quick Access configuration for broad but controlled access to common services.
• Configuring private DNS suffixes and understanding the DNS resolution flow through Entra.

Category

Technology

Video