Secure Access to On-premises Apps with Microsoft Entra Suite

Day 3 of the Microsoft Entra Suite camp highlights how the Entra suite modernizes access to on-premises resources by replacing traditional VPNs. It also explains how application discovery enables seamless Zero Trust access to private resources, along with a brief on risk-based Conditional Access.

If you want a quick recap of what the bootcamp has covered, check it out here:
Day 1: Unify access with Microsoft Entra Suite
Day 2: Ensure least privilege with Microsoft Entra Suite
Day 4: Detect shadow AI usage and protect Internet access with Entra Suite

Let’s dive into Day 3 now.

Starting with the basics,

At the heart of secure access in Microsoft Entra Suite lies Global Secure Access, a solution built on Zero Trust principles. It includes two core services:

• Microsoft Entra Private Access – for secure access to private resources

• Microsoft Entra Internet Access – for protecting access to public resources

These two services work together to create a centralized access control hub, managing all access based on identity, device health, and real-time risk.

In this session, the bootcamp focused on Microsoft Entra Private Access, a modern alternative to VPNs.

Many organizations continue to rely on traditional VPNs and legacy access methods to connect users to on-premises resources. However, VPNs are inherently risky. They expose the network, provide overly broad access, lack visibility and fine-grained controls. To close these gaps, Microsoft Entra Private Access comes in.

Microsoft Entra Private Access is a modern, VPN-less solution that enables users to securely access on-premises resources – whether users are working from home, traveling, or in the office.

Unlike VPNs that grant access based on network perimeter, Entra Private Access evaluates real-time identity signals, device compliance, and risk levels before allowing access to on-premises resources. This ensures least-privilege access, aligning perfectly with Zero Trust principles.

How It Works?

Let’s say you want to secure access to a remote server by enforcing just-in-time access and applying identity checks. Here’s how Microsoft Entra Private Access enables that:

Step 1: Install the Global Secure Access Client
The user installs the GSA (Global Secure Access) client on their device. This replaces the VPN and securely routes traffic to private resources.

Step 2: Enable Traffic Forwarding
Activate the Private Access profile under Traffic Forwarding Profiles to instruct the GSA client to route private resource traffic through Microsoft’s Secure Access infrastructure.

Step 3: Deploy the Private Network Connector
Install a Private Network Connector in your environment to facilitate remote connectivity to resources.

Step 4: Create Connector Groups
Group your connectors into Connector Groups to manage access across different networks or segments.

Step 5: Configure Quick Access
Define the server you want to protect. This will be automatically registered as Enterprise Applications in Microsoft Entra.

Step 6: Assign Access to Users
Go to the Enterprise Applications section, select the app(server), and assign access to specific users or groups.

Step 7: Enable Just-in-Time Access
Use Microsoft Entra Privileged Identity Management (PIM) to assign just-in-time roles. Users must activate the role to remote access the on-premises server.

Step 8: Apply Conditional Access Policies
You can configure the server (which was created as an entire application in Step 5) as a target resource in the Conditional Access policies and require phishing-resistant MFA.

That’s it! When the user tries to access the resource, their just-in-time access will be verified, and they will be prompted for phishing-resistant MFA. Access to server will be revoked automatically once the access duration expires.

This is just a quick overview of the demo session. We’ve prepared detailed steps to Configure Entra Private Access for your reference.

Bonus: What’s new in Microsoft Entra Access?

Microsoft introduced the ability to configure Entra Private Access for Active Directory DCs. This allows you to provide secure access for on-premises users by enforcing Conditional Access policies for on-premises applications that use Kerberos authentication with the DCs.

Admins can also leverage Application Discovery to automatically detect which applications people use on their corporate network. Once the apps are discovered, admins can bring them under control and set up per-app access, meaning access rules are applied to each app individually. This helps make sure only the right users get access, with the right level of security like MFA or just-in-time access.

Then the session moved towards the risk-based Conditional Access policies.

With risk-based Conditional Access in Entra ID Protection, you can block risky sign-ins in real time using machine learning.

Organizations using risk-based Conditional Access policies remediate user risk 140x faster.

Risk data can also be integrated into SIEM and XDR tools, providing enhanced visibility during threat hunting. Entra ID Protection data also feeds into the ITDR (Identity Threat Detection and Response) dashboard, which correlates signals from critical areas such as Entra ID Protection and Private Access. This hybrid detection helps security teams identify vulnerabilities early before they become threats.

That’s a wrap on Day 3 of the Entra Suite Camp! Let’s see what the final day of the bootcamp has in store for us—stay tuned!