Microsoft Global Secure Access Proof of Concept Guidance - Configure Microsoft Entra Private Access
The Proof of Concept (PoC) guidance in this series of articles helps you to learn, deploy, and test Microsoft Global Secure Access with Microsoft Entra Internet Access, Microsoft Entra Private Access, and the Microsoft traffic profile.
Detailed guidance begins with Introduction to Global Secure Access Proof of Concept Guidance and continues after this article with Configure Microsoft Entra Internet Access.
This article helps you to test Microsoft Entra Private Access and configure at least one private network connector. For detailed guidance, reference How to configure connectors for Microsoft Entra Private Access.
Install Microsoft Entra private network connector
Install and configure the latest version of Microsoft Entra private network connector from the Microsoft Entra admin center.
Configure Microsoft Entra Private Access use cases
Configure and test your use cases. Here are example use cases with specific guidance:
- VPN replacement
- Provide access to specific apps
- Kerberos single sign-on (SSO) to Active Directory (AD) resources
- Protect privileged access with Privileged Identity Management (PIM)
- Use PowerShell to manage Microsoft Entra Private Access
- Protect on-premises resources such as domain controller (DC) by enabling multifactor authentication (MFA)
- Coexistence with a partner
VPN replacement
VPN replacement enables you to open Microsoft Entra Private Access for traffic destined to all private network locations for all users. Follow these steps to seamlessly transition from full network access to Zero Trust network access:
- Configure Quick Access for Global Secure Access.
- Configure private domain name server (DNS).
- Manage users and groups assignment to an application.
- Apply Conditional Access Policies to Microsoft Entra Private Access apps.
Provide access to specific apps
If your goal is to move to Zero Trust posture, configure per-app access to all your apps. This scenario can be a daunting undertaking because many companies don't have a full inventory of all IPs and fully qualified domain names (FQDN) that users access on the private network.
To move to per-app access, configure Global Secure Access applications with app segments that limit access to specific IP addresses, IP ranges, FQDNs, protocols, and ports. You can create these configurations manually or by using tools such as PowerShell and App Discovery. Ensure that your Global Secure Access application includes in its app segments all IPs, ports, and protocols that the application uses.
Note
Any Global Secure Access applications with app segments that overlap with Quick Access take precedence. In other words, Global Secure Access doesn't route any traffic to those destinations over Quick Access. Assign users correctly to your Global Secure Access applications to avoid service disruption. If you need a slower onboarding to Zero Trust posture, consider moving subsets of IP ranges and ports rather than entire enterprise applications at one time.
These articles provide detailed guidance:
- How to Configure Per-app Access Using Global Secure Access Applications
- Using PowerShell to manage Microsoft Entra Private Access
- Application Discovery (Preview) for Global Secure Access
Kerberos SSO to AD resources
Microsoft Entra Private Access uses Kerberos to provide SSO for on-premises resources. You can use Windows Hello for Business cloud Kerberos trust to allow SSO for users. You must publish your domain controllers and DNS suffixes in Microsoft Entra Private Access to enable this scenario. For detailed guidance, reference Use Kerberos for single sign-on (SSO) with Microsoft Entra Private Access..
Protect privileged access with PIM
Privileged Identity Management (PIM) allows you to control access to specific critical resources. This feature adds an extra layer of security to enforce just-in-time (JIT) privileged access on top of already secured private access.
To configure Microsoft Entra Private Access to use PIM, configure and assign groups, activate privileged access, and follow compliance guidance. For details, refer to Secure private application access with Privileged Identity Management (PIM) and Global Secure Access.
Use PowerShell to manage Microsoft Entra Private Access
Several Global Secure Access commands are available in the Microsoft Entra PowerShell module. For detailed guidance, refer to Install Microsoft Entra PowerShell.
Protect on-premises resources
To protect on-premises resources such as DC by enabling MFA, reference Microsoft Entra Private Access for on-premises users.
Coexistence with a partner
When customers deploy the 3P solution, they might want to use Environmental Protection Agency (EPA) while using other solutions for internet access. For guidance, reference Partner ecosystem overview.
Troubleshooting
If you run into issues during your PoC, these articles can help you with troubleshooting, logging, and monitoring:
- To aid in troubleshooting, review Global Secure Access FAQ
- Troubleshoot problems installing the Microsoft Entra private network connector
- Troubleshoot the Global Secure Access client: diagnostics
- Troubleshoot the Global Secure Access Client: Health check tab
- Troubleshoot Distributed File System issue with Global Secure Access
- See Global Secure Access logs and monitoring for log locations and other details that can assist with monitoring and troubleshooting your Global Secure Access deployment
- How to use workbooks with Global Secure Access.
Next steps
- Introduction to Global Secure Access Proof of Concept Guidance
- Configure Microsoft Entra Internet Access
- Introduction to Microsoft Global Secure Access Deployment Guide
- Microsoft Global Secure Access Deployment Guide for Microsoft Entra Private Access
- Microsoft Global Secure Access Deployment Guide for Microsoft Entra Internet Access
- Microsoft Global Secure Access deployment guide for Microsoft Traffic