0:01 in this video we create Global secure
0:03 access applications with different
0:06 security settings for enter private [Music]
0:12 access hello everyone I'm Travis and
0:15 this is rdos I'm recording from a
0:17 temporary but warmer location while I'm
0:19 on the road in this video we're going to
0:21 create Global secure access applications
0:23 for enter private access with different
0:26 security settings before that please
0:27 like subscribe and share with a friend
0:29 click the Bell icon for notifications of
0:31 new cont content and check out my
0:33 courses on Azure virtual Desktop Windows
0:36 365 with InTune management hybrid
0:38 identities with Windows ad and entry ID
0:40 and my latest course a beginners guide
0:43 to the a900 available at UD me.com links
0:45 are below and thank you channel members
0:47 your support is appreciated in the last
0:49 video we configured enter private access
0:51 with a connector and the quick access
0:53 application the quick access application
0:55 is f for many use cases but the
0:57 applications and security settings are
1:00 shared for all users we can't force MFA
1:03 for one group and bypass it for another
1:05 or allow access to an application
1:08 segment for one user but not for another
1:10 with quick access we're picking up where
1:11 the last video left off in creating
1:13 Global secure access Enterprise
1:15 applications we could use these to
1:17 provide limited access and apply
1:19 different C conditional access policies
1:22 per each application something worth
1:23 pointing out in the context of private
1:26 access an application segment refers to
1:29 each application a user has access to
1:31 through priv private access and the
1:33 global secure access app a private
1:36 access Global secure access application
1:38 refers to an Enterprise application that
1:40 controls access to one or more
1:42 application segments we apply security
1:45 settings to the Enterprise application
1:47 and that applies to all application
1:49 segments in the Enterprise app the demo
1:51 coming up will create two Global secure
1:53 access apps each will have a different
1:55 user assigned to the app with different
1:57 conditional access policies the examples
2:00 will show how to configure one applic
2:03 that allows remote access to a server
2:05 over RDP and the second that provides
2:07 access to a Windows file share each with
2:09 different user access and conditional
2:11 access policies the goal is to
2:14 demonstrate access to non web-based
2:17 applications over private access with a
2:19 global secure access client let's jump
2:21 into the enter portal to get started
2:23 here we are in the enter portal at
2:26 enter. microsoft.com as already stated
2:28 if you haven't configured enter private
2:30 access check out my previous video that
2:33 walks through the initial configuration
2:34 this video picks up where that one left
2:37 off before we start I have to show one
2:39 change from the original configuration
2:42 when I tested this demo I ran into an
2:45 issue with a second user the global
2:47 secure access client showed Global
2:49 secure access disabled by the
2:52 organization and the health check showed
2:54 break glass mode enabled this was
2:56 resolved by going to traffic forwarding
3:01 in the global secure access client under
3:04 connect and find the private access rule
3:06 user and group
3:08 assignments and update this to assign to
3:11 all users from there restart the client
3:13 VM and wait about 10 minutes that
3:15 cleared up the issue let's move on by
3:17 updating our connectors if we go to
3:19 connectors under
3:21 connect there's a default connector
3:23 group new connectors are added to the
3:26 default group I suggest not assigning
3:28 the default group to any application
3:30 there could be an issue if an
3:32 application on one network uses the
3:34 default connector and a new connector
3:36 for a different network is added to the
3:39 group it could lead to connectivity
3:41 issues the default group acts as a
3:43 stageing area for new connectors I don't
3:46 like that we name the group quick access
3:48 group in the last video a connector
3:50 group defines a network boundary we
3:53 don't need a group for each application
3:55 also a connector can only be Associated
3:57 to one connector group but a connector
3:59 group can be used with multiple
4:00 applications for deployments with
4:03 multiple applications it makes more
4:05 sense to give the connector group a name
4:07 that defines the network it's connected
4:09 to select the
4:12 connector and we'll update the name
4:15 Network one for this example we'll
4:18 save we'll close that and now our
4:20 connector group name has been updated
4:21 now that we have the connector group
4:24 updated let's move on to adding our
4:26 application the goal of this application
4:29 is to allow our test user test user one
4:32 to connect over RDP to the web and DNS
4:37 server web 1. private access. looc go to
4:39 Applications and Enterprise
4:42 applications from here we'll add an
4:45 application give it a name RDP access
4:47 for this example select the network one
4:50 connector group we get a message that
4:52 suggests using multiple connectors it's
4:55 a good suggestion that I won't follow
4:57 because this is a lab leave enable
5:00 access with global secure access client
5:02 enabled and add an application
5:05 segment we'll use the fully qualified
5:08 domain name for this example in the lab
5:10 the server we're connecting to is web 1.
5:12 privata access.
5:15 looc the RDP Port is
5:18 3389 we'll leave the protocol set to TCP
5:21 and apply and then
5:23 save that's Sav let's go back to Enterprise
5:25 Enterprise
5:28 applications and there it is we now have
5:30 our Enterprise application
5:32 next we'll configure access to the RDP
5:35 application let's open the
5:38 app and go to users and groups we'll add
5:41 a user or group it shows an unselected
5:45 let's select a user or group locate your
5:47 user or group this example we'll use
5:51 test user one we'll select in production
5:53 it would make more sense to use groups
5:57 of users if using groups only users
5:58 directly added to the group will have
6:03 access users in nested groups won't have
6:05 access we'll
6:07 assign that gives the user a group
6:09 access next we'll create a conditional
6:12 access policy for the application let's
6:15 go to conditional
6:18 access it shows the MFA policies that
6:20 already apply let's open
6:23 one this policy applies to specific
6:26 users and all
6:28 resources that includes the Enterprise
6:30 application we just created
6:32 let's go back to our
6:35 application and under conditional access
6:36 we'll create a new
6:40 policy give it a name RDP app policy for
6:42 this example go to
6:49 groups you may select all users in
6:51 production for this example though it's
6:53 limited to just one
6:58 user we'll select go to Target
7:00 resources it applies to our Target
7:03 resources the Enterprise application
7:05 we're creating let's go to
7:08 conditions the idea is we could create a
7:10 different policy for different users and
7:13 applications if we wanted to exclude a
7:15 trusted network from this policy so
7:18 users aren't required to use MFA when
7:20 logging in from a trusted Network for
7:22 example we could create that with a
7:25 policy with those settings let's disable
7:26 that and go to
7:31 Grant we'll select require MFA
7:33 select you can enable report only for
7:36 testing this example will enable the
7:42 create now CHS that that policy applies
7:45 to the application as well let's log
7:47 into the windows 11 client for
7:50 testing this is a workstation enter
7:52 hybrid join to the tenant with the
7:55 global secure access client installed
7:57 it's on a different virtual network from
7:59 the server we're connecting to and
8:01 there's no peering between them let's
8:02 verify that client's
8:05 connected that looks good let's open up
8:10 client the server we're connecting to
8:12 and the one that was targeted with the
8:15 application segment is web 1. private
8:22 connect that looks good we'll give it
8:36 it connected that looks good this means
8:38 our Enterprise application is working
8:40 with the global secure Client app we
8:43 didn't get the MFA prompt let's log off
8:49 again let's log the user off from all
8:52 sessions so we know it's not using cache
8:55 credentials find the user and enter ID
8:58 and revoke all
9:00 sessions when once that's revoked we'll
9:03 go back to our Windows 11 session from
9:05 our client let's try to connect to that
9:12 again this time we get the global secure
9:14 access client login
9:27 prompt the RDP client did time out let's
9:39 connects we're dealing with two
9:41 authentications the first was
9:43 authenticating with our test user
9:46 account to the tenant that's needed for
9:48 the global secure access connection the
9:50 second is the local computer
9:52 authentication great that means our
9:54 first application works we can also
9:56 review The Connection by going back to
9:57 the enter of
10:06 access and traffic
10:08 logs here's a list of all of our traffic
10:11 logs if we open one that matches our
10:12 user and
10:14 destination it displays information
10:16 including the destination fully
10:19 qualified domain name port client OS and
10:21 so on let's move on to the next
10:23 application the goal of the second
10:26 application is to allow a user to
10:28 connect to a network share over the
10:30 private access connection we'll go to Enterprise
10:32 Enterprise
10:36 applications add our second
10:39 application give it a name SMB access
10:42 for this example select our connector
10:46 group network one for this example leave
10:48 enable access with global secure access
10:53 client checked and add an application
10:55 segment we'll use the fully qualified domain
10:57 domain
10:59 name in this lab the server work
11:02 connecting to is web 2. privata access.
11:06 looc the port for SMB is
11:08 445 and we'll leave the protocol set to
11:11 TCP then
11:18 save that's saved let's go back to Enterprise
11:19 Enterprise
11:21 applications and there it is now we have
11:25 our SMB access Enterprise application
11:27 next let's open the
11:30 application and go to uses and
11:33 groups from here we'll add a user or
11:36 group none are selected let's select a user
11:37 user
11:40 group locate your user a group this
11:42 example we'll use test user
11:44 2 we'll
11:47 select and assign that user in
11:49 production we'd probably use a group
11:51 instead of a specific user but for this
11:53 example because I'm demonstrating
11:55 different access for different
11:57 applications I'm just going to use a
11:59 user next we'll create a condition
12:02 access policy for the application let's
12:03 go to conditional
12:06 access again this is a list of the MFA
12:08 policies that I'll already apply we'll
12:10 create a new
12:13 one give it a name SMB app policy for
12:15 this example go to
12:18 users we'll select users and
12:21 groups and users from here we'll select
12:23 the user or group we want this
12:25 conditional access policy to apply to
12:28 for this example it's just our test two
12:31 user we'll select that go to Target
12:33 resource it applies to our Target
12:35 resource the SMB access Enterprise
12:39 application we just created let's go to
12:43 Grant and we'll select require
12:46 MFA select and just like before you can
12:48 select report only if you want a test
12:50 first this example I'll enable
12:54 it and create that creates our SMB
12:56 access Enterprise application assigns
12:58 users in groups and sets the conditional
13:01 access policy Let's test it next let's
13:04 log into a different Windows 11 computer
13:08 with the test user we configured for
13:11 Access I recommend restarting the client
13:13 computer first so the global secure
13:15 access client updates with the latest
13:17 configuration you could also restart the
13:19 client let's verify the client's
13:22 connected that looks good let's open up file
13:23 file
13:25 explorer and we'll browse to the server and
13:27 and
13:29 share in this environment the login for
13:32 the global secure access is different
13:34 from the resource we're connecting to
13:35 that's because the resource the SM SMB
13:44 domain and that connected we can create
13:46 a new
13:48 file that's great that means our
13:50 Enterprise application is working with a
13:52 global secure access client for
13:55 something other than a port 80 website
13:57 an SMB share for this example for the
13:59 sake of testing let's try to connect
14:02 with RDP to the web one server remember
14:05 test user one was assigned to the
14:07 Enterprise application for RDP access to
14:10 web 1 not test user 2 the user we're
14:14 logged into let's close this and open
14:15 the RDP
14:18 client and we'll try to connect to web
14:32 it gives us an MFA
14:34 prompt and it gives us a message that
14:36 we're not allowed to connect that's
14:39 great the Enterprise application for RDP
14:41 access is working exactly the way we
14:44 configured it it's blocking access to
14:46 users who weren't assigned and it's
14:47 giving us a detailed description of why
14:50 it's not working that is how to create
14:51 Enterprise applications and enter
14:53 private access with different
14:56 application segments users of groups and
14:58 conditional access settings that is how
15:00 to create global mobile secure access
15:02 applications in entra private access
15:03 please don't forget to like And
