Loading...

Explore the key benefits of Microsoft Entra Private Access

Explore the key benefits of Microsoft Entra Private Access

The traditional network security models are becoming increasingly ineffective in a world where remote work and cloud services are the norm. Conventional technologies like VPNs, while popular, offer limited protection in a boundary-less landscape, typically granting users excessive network access and posing significant risks. If compromised, these can lead to unauthorized access and potentially lateral movement within corporate networks, exposing sensitive data and resources. Microsoft Entra Private Access is at the forefront of addressing these challenges by effectively integrating identity and network access controls.

 

Microsoft Entra Private Access

 

In July we announced general availability of Microsoft Entra Suite, which brings together identity and network access controls to secure access to any cloud or on-premises application or resource from any location. We also announced Microsoft’s Security Service Edge (SSE) solution general availability. Microsoft Entra Private Access, a core component of Microsoft’s SSE solution, allows you to replace your VPN with an identity-centric Zero Trust Network Access (ZTNA) solution to securely connect users to any private resource and application without exposing full network access to all resources. It’s built on Zero Trust principles to protect against cyber threats and mitigate lateral movement. Through Microsoft’s global private network, give your users a fast, seamless, edge-accelerated access experience that balances security with productivity.

 

Figure 1: Secure access to all private applications, for users anywhere, with an identity centric ZTNAFigure 1: Secure access to all private applications, for users anywhere, with an identity centric ZTNA

 

Modernize access to private applications

 

Despite the cloud’s growing dominance, you may still rely on on-premises infrastructure and use legacy VPNs to enable your remote workforce. Legacy VPNs typically grant excessive access to the entire network by making the remote user’s device part of your network.

 

Figure 2: Legacy VPNs typically grant excessive access to the entire networkFigure 2: Legacy VPNs typically grant excessive access to the entire network

 

Microsoft Entra Private Access helps you easily start retiring your legacy VPN and level up to an identity-centric ZTNA solution that helps reduce your attack surface, mitigates lateral threat movement, and removes unnecessary operational complexity for your IT teams. Unlike traditional VPNs, Microsoft Entra Private Access protects access to your network for all your users— whether they are remote or local, and accessing any legacy, custom, modern, or private apps that are on-premises or on any cloud.

 

Figure 3: Replace legacy VPN with an identity centric ZTNA solutionFigure 3: Replace legacy VPN with an identity centric ZTNA solution

 

For example, Microsoft Entra Private Access enhances security for Remote Desktop Protocol (RDP) sessions by enabling access without direct network connectivity. It leverages Conditional Access policies, including multifactor authentication (MFA), to validate both device and user identities. This ensures that only authenticated users with compliant devices can establish an RDP session on your network, providing a secure and seamless remote access experience. By integrating with Microsoft Entra ID, Microsoft Entra Private Access validates access tokens and connects users to the appropriate private server, reinforcing the security posture without the need for traditional VPN solutions.

 

Figure 4 GIF - Take 4.gif

 

Accelerate your journey to Zero Trust with Microsoft Entra Private Access

 

Microsoft Entra Private Access helps you accelerate your journey to ZTNA and meets this need by offering a streamlined approach to help enforce least privilege access to on-premises or private applications, reinforcing the importance of extending Zero Trust principles to any private app(s) or resource(s), regardless of their location — on-premises or any cloud.

 

Figure 5: Accelerate your ZTNA journey with Microsoft Entra Private AccessFigure 5: Accelerate your ZTNA journey with Microsoft Entra Private Access

 

Here, in more detail, are the key capabilities that help you move from legacy VPNs to ZTNA:

 

QuickAccess policy simplifies transitioning from legacy VPNs to easily onboard with Microsoft Entra Private Access. It allows you to create network segments that can include multiple apps and resources.

 

Figure 6: Fast and easy migration from legacy VPNs with Quick Access policyFigure 6: Fast and easy migration from legacy VPNs with Quick Access policy

 

Over time, Private Application Discovery enables you to discover all your private apps, onboard them to enable segmented access, and simplify enabling the creation of Conditional Access policies for groups of apps based on business impact levels.

 

Figure 7: Automatic private application discovery and onboardingFigure 7: Automatic private application discovery and onboarding

 

Enforce Conditional Access across all private resources

 

To enhance your security posture and minimize the attack surface, it’s crucial to implement robust Conditional Access controls, such as MFA (biometric and/or phish resistant), across all private resources and applications including legacy or proprietary applications that may not support modern identity.

 

The familiar Conditional Access policies used today can now be extended to all private apps, including legacy apps and non-web resources, such as RDP, SSH, SMB, SAP, or any other TCP- or UDP-based private application, resource, or network endpoint.

 

Figure 8: Enforce Conditional Access across all private resourcesFigure 8: Enforce Conditional Access across all private resources

 

Conditional Access is applied to every network flow, ensuring comprehensive security coverage across all your private apps and resources—including MFA, location-based security, advanced segmentation, and adaptive least-privilege access policies—without making any changes to your apps or resources.

 

Figure 9 GIF - Under 5MB.gif

 

Deliver seamless access to private apps and resources with single sign-on

 

Single sign-on (SSO) simplifies the user experience by eliminating the need to sign in to each private application individually. By enabling SSO, users gain seamless access to all necessary private applications, whether located on-premises or across various clouds, without the need for repeated authentication or modifications to existing apps.

 

Microsoft Entra Private Access further streamlines this process by providing SSO for on-premises resources, utilizing Kerberos for secure, ticket-based authentication. For an even more integrated experience, you can opt to implement Windows Hello for Business with cloud Kerberos trust, offering a modern, passwordless sign-on option for users. This cohesive approach to SSO, supported by Microsoft Entra Private Access, ensures a secure and efficient access management system for private resources across the enterprise landscape.

 

Deploy across various platforms, ports, and protocols

 

Enable secure connectivity to private resources from Windows and Android, with support for iOS and MacOS coming later this year, and Linux support to follow. This service spans all operating systems and accommodates any port and protocol, including SMB, RDP, FTP, SSH, SAP, printing, and all other TCP/UDP-based protocols. For security teams already using an Application Proxy, you can seamlessly and confidently transition to Microsoft Entra Private Access knowing that all existing use cases and access to existing private web applications will keep working with no disruption.

 

Figure 10 GIF - Take 1.gif

 

Securing just-in-time access to sensitive resources

 

Microsoft Entra Private Access tightly integrated with Privileged Identity Management (PIM), a service within Microsoft Entra ID Governance, helps you secure just-in-time access to private resources for privileged users. This integration ensures that privileged access is granted only when necessary, aligning with the Zero Trust principle of least privilege access. It allows for the enforcement of robust Conditional Access controls such as MFA, to ensure that only eligible and validated users can access sensitive resources. This approach not only enhances security but also supports compliance and auditing requirements by providing detailed tracking and logging of privileged access requests.

 

Secure access to Azure managed services with Microsoft Entra Private Access

 

Azure offers many managed services, such as Azure SQL, Azure Storage, and Azure ML, among others. Microsoft Entra Private Access ensures a secure, private connection to Azure services while enforcing security policies and posture during access, allowing you enforce Conditional Access controls such as MFA and IP-based access controls. With comprehensive enforcement of identity and network access controls, Microsoft Entra Private Access ensures that managed services are accessed securely. Here are two key scenarios:

 

  • Secure Azure managed services access: Typically, Azure services are accessed over the internet. However, for security reasons, it’s preferable to keep the traffic between users or applications and Azure services private, avoiding exposure to the internet. This can be achieved through Microsoft Entra Private Access, where services like Azure Storage can be connected to a virtual network (vNet) using Private Link. This ensures that all traffic remains private, while additional identity and network access controls are enforced.

Figure 11: Enable secure access to Azure Storage with Private Access through Private LinkFigure 11: Enable secure access to Azure Storage with Private Access through Private Link

 

  • Service endpoint for controlled access: In contrast to Private Link, the service endpoint method does not integrate services into a vNet. Instead, it restricts incoming traffic to connections from specified connector IP addresses through Microsoft Entra Private Access. This approach helps secure access to Azure services by permitting access solely through an approved path, where additional security measures like MFA and device posture can be enforced.

Figure 12: Ensures a single, secure path to the Azure managed services through Microsoft Entra Private AccessFigure 12: Ensures a single, secure path to the Azure managed services through Microsoft Entra Private Access

 

Simplify Microsoft Entra private network connector  deployment for your private workloads

 

In addition to Microsoft Entra admin center, private network connector is now available on Azure Marketplace and AWS Marketplace in preview. This will allow users to easily deploy a virtual machine with a pre-installed Private Access Connector through a streamlined managed model for Azure and AWS Workloads. The Marketplace offerings automate the installation and registration process, simplifying authentication setup, thus enhancing user experience.

 

Figure 13: Microsoft Entra private network connector on Microsoft Azure MarketplaceFigure 13: Microsoft Entra private network connector on Microsoft Azure Marketplace

 

Figure 14: Microsoft Entra private network connector on AWS MarketplaceFigure 14: Microsoft Entra private network connector on AWS Marketplace

 

The Microsoft Entra private network connector is a required software component to enable Microsoft Entra Private Access. It sits alongside customers’ private applications in customer network and is designed to provide secure and convenient access to them from any device and location. It acts as a bridge between Microsoft’s SSE edge and application servers, facilitating the authentication, authorization, and encryption of traffic.

 

Enable edge accelerated Zero Trust private domain name resolution

 

Microsoft Entra Private Access enhances your organization’s domain name resolution (DNS) capabilities and simplifies the process of accessing IP-based app segments and private resources using FQDNs, allowing your users to access private resources with single label names or hostnames without complex configurations. With accelerated DNS at Microsoft’s SSE edge , DNS responses are cached, leading to significantly faster resolution times and enhanced performance. Moreover, the integration of DNS with Conditional Access adds an extra layer of identity-centric security controls, allowing for more granular control over access to private resources.

 

For instance, with Private DNS support, you can provide your domain suffixes to simplify Zero Trust access to private apps using FQDNs, streamlining the connection process to internal resources, while using your existing DNS deployments. This is particularly beneficial in scenarios where your users need to seamlessly access private resources without the need for VPNs or domain-joined devices, while offering a more secure and efficient way to manage access.

 

Simplify access and improve end user experience at a global scale

 

Enhance user productivity by leveraging Microsoft’s vast global edge presence, providing fast and easy access to private apps and resources—located on-premises, on private data centers, and across any cloud. Users benefit from optimized traffic routing through the closest worldwide Point of Presence (PoP), reducing latency for a consistently swift hybrid work experience.

 

Deploy side-by-side with third-party network access solutions

 

A distinctive feature of Microsoft’s SSE solution is its built-in compatibility with third-party network access solutions where it allows you only acquire the traffic you need to send to Microsoft’s SSE edges. Leverage Microsoft and third-party network access solutions in a unified environment to harness a robust set of capabilities from both solutions to accelerate your Zero Trust journey. The flexible deployment options by Microsoft’s SSE solution empowers you with enhanced security and seamless connectivity for optimal user experience.

 

Conclusion

 

Simplifying and securing access for your hybrid workforce is crucial in a landscape where traditional boundaries have dissolved. Enforcing least-privilege access and minimizing reliance on legacy tools like VPNs are essential steps in reducing risk and mitigating sophisticated cyberattacks.

 

Microsoft Entra Private Access helps you secure access to all your private apps and resources for users anywhere with an identity-centric ZTNA solution. It allows you to replace your legacy VPN with ZTNA to securely connect users to any private resource and application without exposing full network access to all resources.

 

The unified approach across identity and network access within Microsoft’s SSE solution signifies a new era of network security. This approach ensures that only authorized users are authenticated, and their devices are compliant before accessing private resources.

 

Learn More

 

To get started, begin a trial to explore Microsoft Entra Private Access general availability. You can also sign up for an Entra suite trial, which includes Microsoft Entra Private Access. For further help contact a Microsoft sales representative and share your feedback to help us make this solution even better.

 

Ashish Jain, Principal Group Product Manager

Abdi Saeedabadi, Senior Product Marketing Manager

 

Read more on this topic

 

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

Published on:

Learn more
Azure Active Directory Identity Blog articles
Azure Active Directory Identity Blog articles

Azure Active Directory Identity Blog articles

Share post:

Related posts

Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy