This is awesome. One thing that I am confused on is how does an FQDN work? What forces your DNS lookups to use one of your on prem DNS servers? I set this up so that I could access one of my SQL servers and it works great if I have the IP address. If I try to use the FQDN it fails because the FQDN cannot be resolved. Thoughts on this one?
Hi Rob, theres not a lot of Microsoft documentation on DNS with Entra Private access yet, maybe more will be available once out of preview. As long as your DNS IP config is correct on the client and pointing to your DNS servers. Under quick access in the Entra portal you can add in a Private DNS custom suffix. Inside the Entra SSE edge there is a DNS service for name resolution requests which resolve from the GSA client over the GSA tunnel.
Private access looks amazing. Still have some questions, hope you can answer: - As it requires the same license (P1) and can also give users access to on-premise web based applications, is there still a valid use case for using Application Proxy? I guess you'd still need app proxy to give access to on-premise web based resources from non-azure joined devices, or devices without the GSA client? - Does this also work from Azure joined devices that use WHfB, so passwordless login, giving SSO to on-premise applications without the use of WHfB Cloud Kerberos Trust?
Yes Entra Private Access is an amazing quick solution without the complexity of a VPN! There is still a valid requirement for Application Proxy to secure remote access to on-premises web applications external URL or an internal application portal, as you state if not using Microsoft Entra joined or Microsoft Entra hybrid joined devices or the GSA client. Windows Hello for Business Entra joined devices authenticate to Microsoft Entra ID during sign-in and when the GSA client runs, users are prompted to sign in with their Microsoft Entra credentials if not already authenticated.
Great demo. Thanks 👍 Some remarks: 1.MDM such as Intune managed devices could be also included and not only domain joined ones. 2. MS Entra App Proxy connector requires Win 2012 or later, can it be used on any VM? Example in AWS or GCP? Should be great for example a “ready to use connector” available in marketplaces.
Hi thanks for your comment. 1. Devices have to be Microsoft Entra joined or Microsoft Entra hybrid joined. Microsoft Entra registered devices are not supported at this time. 2. MS Entra App Proxy connector requires a Windows Server 2012 R2 or later and yes it can be installed in any environment such as AWS, or GCP as long as that server has outgoing internet access on port 443 for the proxy.
Sweet ! @@CloudInspired so if i deploy a windows Server and install the App proxy Connector there , i can provide access to resources on AWS (Web apps/RDP/SSH) ?
Hi Kshitij, yes thats correct! The App provy connector can be installed anywhere (including a AWS Windows VM), as long as its located in the same network for services you are trying to access. Then you would open up ports for access Web/RDP/SSH etc to enable a secure connection to the required services. Implementing and configuring a complex VPN connection is now a thing of the past saving time and money!
Hi, thanks for the tutorial 👌 Everything ok except the global access clients, i have several warning such as disabled by your organization and breakglass mode disabled. Could you help me ?thanks !
Hi Alexis, thanks for your comment. The preview requires a Microsoft Entra ID P1 license and Administrators who interact with Global Secure Access preview features must have the Global Secure Access Administrator role. Check out the Prerequisites here learn.microsoft.com/en-us/entra/global-secure-access/how-to-get-started-with-global-secure-access .Also how to Set up connector server learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-private-access#deploy-and-test-microsoft-entra-private-access Anything in the Global Secure Access client logs? Troubleshoot issues in the Global Secure Access client for Windows learn.microsoft.com/en-us/troubleshoot/azure/entra/global-secure-access/troubleshoot-global-secure-access-client-windows-issues
Hi, A very informative demo. but unable to reach ADDS configured azure file share from private access,... as users is unable to authicate with DC....pls suggest how we can resolve this? Thanks.
Hi Vishnu, thanks for your comment. Authentication to domain controllers for kerberos ports 445, 135, 88 and DNS 53 should work as long as your DNS IP config is correct on the client and pointing to your DNS servers. Under quick access in the Entra portal you can add in a Private DNS custom suffix. Inside the Entra SSE edge there is a DNS service for name resolution requests which resolve from the GSA client over the GSA tunnel.
@@CloudInspired Hi, thanks for your response. as you suggested added local DC server name and IP in quick access, but still aunthication is not happening to reach file shares.
Hi Vishnu, any traffic logs on the client or portal which shows issues? Just to note Hello for Business and passwordless is not supported at this time as Entra Private Access is in preview. Entra ID Joined devices and Windows Hello for Business enabled devices must be logged into via the end-user's username and password to gain seamless access.
@@CloudInspired while accessing file share getting the system cannot contact a domain controller to service the authication request, pls try again later
fantastic explanation. I would just like to ask if for Microsoft Enter Private Access I need some particular license. I have the Microsoft 365 E5, thanks in advance
Hi Giorgio, thanks! The preview requires a Microsoft Entra ID P1 license. To use the Microsoft 365 traffic forwarding profile, a Microsoft 365 E3 license is recommended. A E5 license will cover all the above. Microsoft Licensing requirements might change after general availability.
@@CloudInspired hi! Thanks for the answer! I have unlocked the microsoft entra Suite trial to test it. Now I have a problem the "Global Secure Access Client - disabled by your organization", I don't understand why the client don't function
@@CloudInspired I have configured the agent in 2 server for ridondancy, and after I have configured the "same" configuration like your demo. I have installed the client in my device AzureADJoined but I have the alert "Global Secure Access Client - disabled by your organization" and I can't nothing, can you help me? :/
Hi, can you confirm the prerequisites have been met. Specifically devices must be either Microsoft Entra joined or Microsoft Entra hybrid joined learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client#prerequisites
@@CloudInspired Sorry, i should've clarified our issue better. We use Windows Hello for Business to adopt passwordless strategy. Since our client machines are not passing credentials and are only using PIN/Biometrics, it seems this is where we run into the issue. We're not exactly sure how to get around this. If we're on the corporate network and get a kerberos ticket from a DC, we can then leave the network and use private access client and can connect to authenticated resources (like SMB) without issue - but when the ticket expires, we are unable to use that resource again when we use our WHfB/PIN Codes to login to machines.
Hi Matt, thanks for clarifying. Looks like Hello for Business and passwordless is not supported at this time as Entra Private Access is in preview. Entra ID Joined devices and Windows Hello for Business enabled devices must be logged into via the end-user's username and password to gain seamless access.Lets hope this something Microsoft add and support once out of preview!?
Did tested in our environment and this is awesome! Just one question: with azure joined computers, there is a way to skip RDP from asking MFA? is this related to condition?
Setup concept: We have Azure Entra-AD & 100 Microsoft 365 Business Premium: - in Azure IaaS, we have 2 Windows Server 2022 Azure Entra-AD joined, running file server, and a Azure NAT-GW for them to get internet & windows update. - on-prem we also have 2 Windows Server 2022 Azure Entra-AD joined , running print server, and a hardware firewall for internet access, DHCP, DNS. - on-prem we have 80 Windows 10 Pro desktop, that is Azure Entra-AD joined. note: we don't have Active Directory on-prem, nor Azure Entra Active Directory Domain Services in Azure. Can we use Microsoft Entra Private Access to allow the 80 clients to access the 2 file server in Azure IaaS without a VPN?
Hi, The Windows 10 Azure Entra-AD joined devices can use Entra Private access to connect to file servers in Azure. MS Entra App Proxy connector is required to be installed on a server in the network which requires access i.e on the Azure VNET where file servers are located. App Proxy server requires outgoing internet access on port 443 for the proxy. Would need to publish the required ports in Entra Private access for access... i.e SMB for file sharing and any others required. The preview requires a Microsoft Entra ID P1 license.
So does ALL traffic end up flowing through the proxy? Or is this for authentication only? Don't really understand how the network flow works. Also, you added two different endpoints to the same Enterprise App (RDP to DC). Is this the recommended way of doing it?
Hi Marc. The Global Secure Access Client is installed on Windows endpoints. These clients will connect to a Application Proxy installed on a Windows Server to enable all traffic to be tunnelled to Private Access destinations and protocols which are published. Therefore we can secure access to all private apps, resources and protocols from endpoints using a zero trust model. The demo shows an example of how you can add different IP address endpoints and protocals to the same app or you can configure multiple apps to split up each protocol or IP endpoint.
Brilliant demo. Looks like this may replace my Zscaler Private Access setup. Any Azure licencing requirements ? Will this work on domain joined laptops and not Azure joined ? Also support for Mac's in the future? I think with this I can replace the legacy VPN to HQ hopefully 👍🙏
Thanks Regi for your comment! Entra Private Access is currently in Preview and currently the Global Secure Access Client is supported on 64 bit versions of Windows 10 or Windows 11. I expect for the future other client OS will be supported. Devices have to be Microsoft Entra joined or Microsoft Entra hybrid joined. Microsoft Entra registered devices are not supported at this time. Yes this is a good option to consider for replacing the legacy VPN with all the benefits of Zero Trust and of course Entra Internet Access with Microsoft 365 protecting against malicious internet traffic.
Yes correct the preview requires a Microsoft Entra ID P1 license. You can try a trial license for 30 days. Prerequisites and links for license are here learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client#prerequisites
Amazing demo!!! so really this way i don't even need to provision azure bastion as i can remote in to my hosts! TY Ed, really awosome!
Thanks for your comment Len. Yes total game changer!
Love the way you explained Zero trust.
Thanks and glad it was helpful!
Wonderful demonstration
Thanks and your welcome
This is awesome. One thing that I am confused on is how does an FQDN work? What forces your DNS lookups to use one of your on prem DNS servers?
I set this up so that I could access one of my SQL servers and it works great if I have the IP address. If I try to use the FQDN it fails because the FQDN cannot be resolved. Thoughts on this one?
Hi Rob, theres not a lot of Microsoft documentation on DNS with Entra Private access yet, maybe more will be available once out of preview. As long as your DNS IP config is correct on the client and pointing to your DNS servers. Under quick access in the Entra portal you can add in a Private DNS custom suffix. Inside the Entra SSE edge there is a DNS service for name resolution requests which resolve from the GSA client over the GSA tunnel.
You are simply the best! ❤
Thanks Eddy!
Private access looks amazing. Still have some questions, hope you can answer:
- As it requires the same license (P1) and can also give users access to on-premise web based applications, is there still a valid use case for using Application Proxy? I guess you'd still need app proxy to give access to on-premise web based resources from non-azure joined devices, or devices without the GSA client?
- Does this also work from Azure joined devices that use WHfB, so passwordless login, giving SSO to on-premise applications without the use of WHfB Cloud Kerberos Trust?
Yes Entra Private Access is an amazing quick solution without the complexity of a VPN!
There is still a valid requirement for Application Proxy to secure remote access to on-premises web applications external URL or an internal application portal, as you state if not using Microsoft Entra joined or Microsoft Entra hybrid joined devices or the GSA client. Windows Hello for Business Entra joined devices authenticate to Microsoft Entra ID during sign-in and when the GSA client runs, users are prompted to sign in with their Microsoft Entra credentials if not already authenticated.
Great demo. Thanks 👍
Some remarks:
1.MDM such as Intune managed devices could be also included and not only domain joined ones.
2. MS Entra App Proxy connector requires Win 2012 or later, can it be used on any VM? Example in AWS or GCP? Should be great for example a “ready to use connector” available in marketplaces.
Hi thanks for your comment.
1. Devices have to be Microsoft Entra joined or Microsoft Entra hybrid joined. Microsoft Entra registered devices are not supported at this time.
2. MS Entra App Proxy connector requires a Windows Server 2012 R2 or later and yes it can be installed in any environment such as AWS, or GCP as long as that server has outgoing internet access on port 443 for the proxy.
Sweet ! @@CloudInspired so if i deploy a windows Server and install the App proxy Connector there , i can provide access to resources on AWS (Web apps/RDP/SSH) ?
Hi Kshitij, yes thats correct! The App provy connector can be installed anywhere (including a AWS Windows VM), as long as its located in the same network for services you are trying to access. Then you would open up ports for access Web/RDP/SSH etc to enable a secure connection to the required services. Implementing and configuring a complex VPN connection is now a thing of the past saving time and money!
Hi, thanks for the tutorial 👌
Everything ok except the global access clients, i have several warning such as disabled by your organization and breakglass mode disabled.
Could you help me ?thanks !
Hi Alexis, thanks for your comment. The preview requires a Microsoft Entra ID P1 license and Administrators who interact with Global Secure Access preview features must have the Global Secure Access Administrator role. Check out the Prerequisites here learn.microsoft.com/en-us/entra/global-secure-access/how-to-get-started-with-global-secure-access .Also how to Set up connector server learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-private-access#deploy-and-test-microsoft-entra-private-access
Anything in the Global Secure Access client logs?
Troubleshoot issues in the Global Secure Access client for Windows
learn.microsoft.com/en-us/troubleshoot/azure/entra/global-secure-access/troubleshoot-global-secure-access-client-windows-issues
Hi, A very informative demo. but unable to reach ADDS configured azure file share from private access,... as users is unable to authicate with DC....pls suggest how we can resolve this? Thanks.
Hi Vishnu, thanks for your comment. Authentication to domain controllers for kerberos ports 445, 135, 88 and DNS 53 should work as long as your DNS IP config is correct on the client and pointing to your DNS servers. Under quick access in the Entra portal you can add in a Private DNS custom suffix. Inside the Entra SSE edge there is a DNS service for name resolution requests which resolve from the GSA client over the GSA tunnel.
@@CloudInspired Hi, thanks for your response. as you suggested added local DC server name and IP in quick access, but still aunthication is not happening to reach file shares.
Hi Vishnu, any traffic logs on the client or portal which shows issues? Just to note Hello for Business and passwordless is not supported at this time as Entra Private Access is in preview. Entra ID Joined devices and Windows Hello for Business enabled devices must be logged into via the end-user's username and password to gain seamless access.
@@CloudInspired while accessing file share getting the system cannot contact a domain controller to service the authication request, pls try again later
hi thanks for your video could you post corporate users VPN connection though ms entra
Hi Ajith, do you mean use an existing VPN connection? I dont think that is possible at this time.
fantastic explanation. I would just like to ask if for Microsoft Enter Private Access I need some particular license. I have the Microsoft 365 E5, thanks in advance
Hi Giorgio, thanks! The preview requires a Microsoft Entra ID P1 license.
To use the Microsoft 365 traffic forwarding profile, a Microsoft 365 E3 license is recommended.
A E5 license will cover all the above. Microsoft Licensing requirements might change after general availability.
@@CloudInspired hi! Thanks for the answer! I have unlocked the microsoft entra Suite trial to test it. Now I have a problem the "Global Secure Access Client - disabled by your organization", I don't understand why the client don't function
@@CloudInspired I have configured the agent in 2 server for ridondancy, and after I have configured the "same" configuration like your demo. I have installed the client in my device AzureADJoined but I have the alert "Global Secure Access Client - disabled by your organization" and I can't nothing, can you help me? :/
We’ve had a lot of issues with authentication over private access preview - Specifically with file shares / SMB and Kerberos- any advice on this?
Hi, can you confirm the prerequisites have been met.
Specifically devices must be either Microsoft Entra joined or Microsoft Entra hybrid joined
learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client#prerequisites
@@CloudInspired Sorry, i should've clarified our issue better. We use Windows Hello for Business to adopt passwordless strategy. Since our client machines are not passing credentials and are only using PIN/Biometrics, it seems this is where we run into the issue. We're not exactly sure how to get around this. If we're on the corporate network and get a kerberos ticket from a DC, we can then leave the network and use private access client and can connect to authenticated resources (like SMB) without issue - but when the ticket expires, we are unable to use that resource again when we use our WHfB/PIN Codes to login to machines.
Hi Matt, thanks for clarifying. Looks like Hello for Business and passwordless is not supported at this time as Entra Private Access is in preview. Entra ID Joined devices and Windows Hello for Business enabled devices must be logged into via the end-user's username and password to gain seamless access.Lets hope this something Microsoft add and support once out of preview!?
Can the GSA client auto connect? Ie always on.
Yes, after a users signs in Global Access Client will auto connect showing a connected state.
Did tested in our environment and this is awesome!
Just one question: with azure joined computers, there is a way to skip RDP from asking MFA? is this related to condition?
Thanks Anderson, yes can be controlled via conditional access targeting the app.
Setup concept:
We have Azure Entra-AD & 100 Microsoft 365 Business Premium:
- in Azure IaaS, we have 2 Windows Server 2022 Azure Entra-AD joined, running file server, and a Azure NAT-GW for them to get internet & windows update.
- on-prem we also have 2 Windows Server 2022 Azure Entra-AD joined , running print server, and a hardware firewall for internet access, DHCP, DNS.
- on-prem we have 80 Windows 10 Pro desktop, that is Azure Entra-AD joined.
note: we don't have Active Directory on-prem, nor Azure Entra Active Directory Domain Services in Azure.
Can we use Microsoft Entra Private Access to allow the 80 clients to access the 2 file server in Azure IaaS without a VPN?
Hi, The Windows 10 Azure Entra-AD joined devices can use Entra Private access to connect to file servers in Azure.
MS Entra App Proxy connector is required to be installed on a server in the network which requires access i.e on the Azure VNET where file servers are located.
App Proxy server requires outgoing internet access on port 443 for the proxy.
Would need to publish the required ports in Entra Private access for access... i.e SMB for file sharing and any others required. The preview requires a Microsoft Entra ID P1 license.
So does ALL traffic end up flowing through the proxy? Or is this for authentication only? Don't really understand how the network flow works. Also, you added two different endpoints to the same Enterprise App (RDP to DC). Is this the recommended way of doing it?
Hi Marc. The Global Secure Access Client is installed on Windows endpoints. These clients will connect to a Application Proxy installed on a Windows Server to enable all traffic to be tunnelled to Private Access destinations and protocols which are published. Therefore we can secure access to all private apps, resources and protocols from endpoints using a zero trust model. The demo shows an example of how you can add different IP address endpoints and protocals to the same app or you can configure multiple apps to split up each protocol or IP endpoint.
Brilliant demo. Looks like this may replace my Zscaler Private Access setup. Any Azure licencing requirements ? Will this work on domain joined laptops and not Azure joined ? Also support for Mac's in the future? I think with this I can replace the legacy VPN to HQ hopefully 👍🙏
Looks like we need a Microsoft Entra ID P1 license.
Thanks Regi for your comment! Entra Private Access is currently in Preview and currently the Global Secure Access Client is supported on 64 bit versions of Windows 10 or Windows 11. I expect for the future other client OS will be supported. Devices have to be Microsoft Entra joined or Microsoft Entra hybrid joined. Microsoft Entra registered devices are not supported at this time. Yes this is a good option to consider for replacing the legacy VPN with all the benefits of Zero Trust and of course Entra Internet Access with Microsoft 365 protecting against malicious internet traffic.
Yes correct the preview requires a Microsoft Entra ID P1 license. You can try a trial license for 30 days. Prerequisites and links for license are here learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client#prerequisites
I need to allow ports 135, 445, 88 and 53 for DNS for my file share to work. Also it seems slow but it's a preview
Hi Regi, those ports should work with entra private access. Interested to know what apps or services you are finding slow?