YouTube Transcript:
Mastering Microsoft Entra Private Access: Step-by-Step Deployment Guide

Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.

Video Transcript

Video Summary

Summary

Core Theme

Microsoft Entra Private Access is a Zero Trust Network Access (ZTNA) solution that provides secure, granular access to internal applications and resources for remote users, acting as a modern alternative to traditional VPNs.

Mind Map

Click to expand

Click to explore the full interactive mind map • Zoom, pan, and navigate

in this video we review and configure

entro private [Music]

[Music] [Applause]

access hello everyone I'm Travis and

this isalos entra private access

provides connectivity to internal

applications and resources when users

are remote it's not a traditional VPN

it's what Microsoft calls zero trust

network access or ztna in this video we

look at what enter private access is and

how to deploy it before that please like

subscribe and share with friend click

the Bell icon for notifications of new

content and check out my courses on

Azure virtual Desktop Windows 365 and

InTune management hybrid identities with

Windows ad and enter ID and my latest

course a beginner's guide to the a900

available at ud.com links are below and

thank you channel members your support

is appreciated entra private access is

an alternative to traditional vpns for

accessing resources on an internal

private Network it supports zero trust

single sign on conditional access

policies and multiactor authentication

coming up we'll review the private

access architecture and deploy it in the

lab and stick around to the end where we

go over some basic troubleshooting steps

let's start with licensing entra private

access requires a license this can be

purchased as part of the Microsoft entra

Suite or as a standalone product the

entra suite is an add-on to an entra P1

or P2 license an entra P1 or P2 license

is also required to use entra private

access a the trial is available for most

tenants there are three main components

to private access the portal the

connector and the client all

configuration of the private access

service is done through the portal this

is where we configure networks and

applications the users's access security

including conditional access policies

and connector groups a connector is a

lightweight agent that installs inside

the private Network it's the same agent

used for the entra application proxy

service once installed it establishes an

outbound connection to the ENT private

access service the connector requires

outbound access over web ports ad and

443 there's no need to open inbound

ports for private access the connector

service runs on a Windows server with

connectivity to the resources users will

access it's best to have multiple

connectors in each Network for high

availability the connector service

supports Server 2012 R2 and newer it

requires net version 4.7.1 or above

server 2019 comes with net

4.7.2 there are a few settings that need

to be configured on the connector server

including disabling http2 for ceros

constrained delegation to work we'll

review those settings in the demo also

install a connector on a standalone

server don't add the connector to a

server that host Services the users will

access and don't add it to the same

server used for entro password

protection just a small dedicated server

for the connector if there are services

or applic ations on multiple networks we

can group connectors in what's called a

connector group so for example if we

have two applications on isolated

networks we could deploy one or more

connectors to each Network and then add

them to separate connector groups a

connector group represents a private

Network boundary next we have the client

the global secure access client is used

to connect to entro private access

there's support for Windows and Android

and at the time of recording there's

also a Mac OS and iOS client and preview

the windows client requires the device

to be joined to the tenant either entra

ID joined or entra hybrid joined entra

registered Windows devices are not

supported the Mac OS IOS and Android

client must be registered with the ENT

tenant the windows multisession OS is

not supported private access will work

with Windows 365 and avd with a single

user OS local admin privileges are

required to install and configure the

global secure access client of course

you can deploy within tune there are two

ways to configure applications the first

is with quick access quick access is a

preconfigured group of application

segments an application segment is one

or more distinct internal applications

with quick access we have one location

to add multiple application segments and

configure access for users and groups

and set conditional access policies

however all users have access to the

same applications with the same

conditional access policies and we can

only specify one connector group so all

applications must be on the same network

we can also create Global secure access

applications that provide per

application access if we need different

conditional access policies or connector

groups for example we can create a new

Global secure access app with different

settings coming up we'll configure the

quick access application we configur the

application by specifying the fully

qualified domain name IP address range

of IP addresses or block for the

application we also specify the ports

for the application the ports could

include 80 and 443 for web applications

3389 for RDP 445 for SNB file shares and

ports for other applications this is one

way private access is different from

entra App proxy app proxy is limited to

web apps private access will work with

other applications one word of caution

avoid using DNS Port 53 and let the

connector handle DNS track traffic the

client will redirect any IP address we

specify in the application segment to

the connector if we specify a fully

qualified domain name any client traffic

going to that fqdn will be resolved

using the DNS configuration on the

connector there's also a preview option

for the quick access application where

we can specify a private DNS suffix this

acts as a domain Wild Card any traffic

with that suffix will get sent to the

connector let's review a handful of FYI

and recommend commendations for

deploying private access in no

particular order locate the connector

servers close to the application to

avoid latency if you have applications

across multiple networks or locations

use multiple connectors and connector

groups use multiple connectors in a

group for high availability and make

sure all servers in a connector group

are on the same network and joined to

the same domain an application redirects

traffic to a connector group not an

individual connector it's important

they're as similar as possible if you

intend to use SSO with private access be

sure to put the connector server and

applications in the same domain or

trusting domain the connector service

needs outbound access over Port 80 and

443 if URL filtering is in place make

sure to exclude all urls required for

the connector a link to that list is

below and exclude connector traffic from

SSL inspection if that's in place before

we jump in let's review the lab setup

the demo lab has a virtual Network in

Azure that's not paired with with any

other network there are three servers in

that network two are running IIs with a

static web page those are the target

applications the client will access

there's also a single server used for

the connector all servers are running

Windows Server 2019 and there's a

Windows 11 client computer that's entra

hybrid join to the tenant with the

global secure access client installed

coming up we're going to configure the

prerequisites for the connector and then

install the connector service after that

we'll create and conf configure a

connector group and then create quick

access applications including adding

users and a conditional access policy

then we'll test connectivity by

accessing the resources with a client

and review the private DNS configuration

in preview at the time of recording

finally we'll review some

troubleshooting steps to take if you run

into issues let's jump into the enter

portal to get started here we are logged

into the entra admin Center at ent.

microsoft.com from here we'll go to

Global secure access and

connect and finally

connectors if accessing Global secure

access for the first time you may get a

message that you have to activate it on

the tenant click activate activating it

onboards the tenant and may take a few

minutes for this example it's already

been activated also if you see a message

like the one on the screen that the

private network is currently disabled on

your tenant select the enable private

network connection option that will

enable enter private Network and now

there's an option to disable it if

needed next we need to install the

connector on the connector server for

this example I'll log into the connector

Bastion let's make it full screen that

makes it a little easier to see this is

a new server 2019 install there are a

couple of registry settings that need to

be applied I have some commands on the

screen that will help configure them and

this block of code will be available on

my blog check the link below the first

one disables HTTP 2.0 this is required

for keros constrain delegation to work

properly it needs to be disabled on

newer we'll select it and run that block

of code that sets the registry key and

value next we need to enable TLS 1.2 for

the private Network

connector the set of commands will check

for the TLs 1.2 key and add the keys and

values if it's not not there let's run

this group of

commands it's a good idea to check the

registry to verify all these values have been

been

refresh and there they are next we need

to reboot this computer for the changes

to take effect the video will pause here

in next we'll download and install the

connector we'll go to ent. microsoft.com

and go to Global secure access connect

and then two connectors from private

Network connectors we have the option to

download the connector service let's

download and now it's in our download

folder the setup process uses a

web-based login if using an OS that has

Internet Explorer installed you need to

disable IE enhanced security

configuration or you'll get a message

like the one on the screen let's go to

server select IE enhanced security

configuration and disable it we'll click

okay keep in mind you're disabling a

security feature you may want to

reenable it once the installation is

finished once IE is squared away we'll

run the executable to install the connector

next we have to sign in to set up the

connector in entra sign in with an

account that has application

administrator privileges or hire this

step registers the application proxy to

tenant once finished we get the setup

successful message shown on the screen

we can close that and now we have a

connector on the tenant let's go back to

enter ID to configure the connector if

we go to Global secure access connect we

can see the new connector under the

default connector group from private

Network connectors we can add a new

connector group let's add

one we can give it a name let's call

this one quick access

group let's select the connector we just

added and under advanced settings we can

select a country or region change that

if needed and and click

create any new connectors will get added

to the default group we'll leave the

default group unassociated with any

applications so we can move newly added

connectors to the correct group next

we'll configure a couple applications

for quick access in the lab there are

two servers on the same network as the

connector each is hosting a different

website we'll use those as our test

applications go to Applications then quick

quick

access there's only one quick access ACC

group all applications in the quick

access group share the same security

settings and network connectors first

let's set the name quick access for this

example and we'll change the group

select quick access group the one we

just created we do get a message that

there should be at least two active

connectors this provides some high

avilability but for this lab we'll just

have the one then we'll

save that saves the quick access group

next we'll add an application segment

this def finds the applications we allow

through the connector select add quick

access application

segment here we can set the destination

type we can add a single IP address a

fully qualified domain name a site

arrange or an IP address range let's

select an IP address there are two

servers hosting static websites for this

example there's also a DNS server on one

of them with the private Zone private

access. looc let's start by adding the

first sech server's IP address 172.16.0.0

172.16.0.0

for ports this example we'll just use 80

and 443 web ports we're not limited to

just web apps we could add 3389 for RDP

445 for a file share or 22 for a secure

shell example or you can add custom

ports if you have an app that runs on

non-standard ports we can select the

protocol or use

both once set click apply

let's add a second application

segment this time we'll select fully

qualified domain

name and for this example We'll add the

DNS name for web2 web 2. private access.

ports and

apply once we have those set don't

forget to save the changes for the new app

app

segments next we need to add users and

groups for Access we can do that right

from users and

groups let's add users or groups for quick

quick

access we'll select a

group for this example I'll use a group

that I use also for avd testing never

mind the name this just happens to be

the group that contains the user I'm testing

testing

with notice the note on the screen if we

are using groups only users added

directly to the group will get access it

does not recognize nested groups so if

you have a group with some users and

another group The nested group won't

have access let's

assign next we can add a conditional

access policy and we'll cover this kind

of quick for the video conditional

access policies is a big topic and

slightly out of scope for this video so

let's go to conditional

access the policies listed already apply

to the quick access application we can

open and review them if we need

to let's add a new

policy give it a name quick access MFA

for this example next we'll select the

users we could assign all users or

selected users for this example the same

user group will be

added we'll go users and

groups we'll find the same group and

we'll add that let's go to Target

resources it uses select resources and

that resource is the quick access app so

this policy will apply to the groups we

targeted when accessing the quick access

application let's go to access

control and select require

MFA and you can leave it as report only

or turn it on and save for this example

I'll turn it on and

create now we have a conditional access

policy for the quick access app we're

getting close I promise next we have to

enable enter private access go to

traffic forwarding under

profile next we get a prompt to assign

users and groups to the policy there's

an option to assign all users for this

example We'll add the same test

group let's click on the link under

assigned We'll add users or

groups we'll search for that group

again and add our test group grou

assign and close this window now we have

one group assigned that enables the

private access traffic forwarding policy

now that we have private access

configured in entra let's log into the

client and set up Global secure access

and test

connectivity here we are logged into a

Windows 11 client that's entra hybrid

joined this would also work with a

computer that's entra ID joined I logged

into this computer with a user that's a

member of the test group we added to

quick access and the traffic forwarding

profile if the user is not a member of

those groups private access won't work

for them this computer also has the

global secure access client for windows

installed you can get the client from

client download under connect in the entra

entra

portal there's an option for Windows

Android iOS and Mac OS are both in

preview at the time of this recording

or you can download the client directly from

from

Windows when you install the client it

has to be ran with elevated privileges

you should also restart the client

computer after you install the client

once Global secure access is installed

and the client has been restarted go to

Global secure access and verify it's

connected it should have the green check

also right click on the global secure

access client and select Advanced

Diagnostics your client may not have the

same options you see here we'll review that

that

later Advanced Diagnostics requires elevated

privileges from Advanced Diagnostics go

to health

check make sure all checks are

successful if not there's a link to

information on health checks with more

information I'll cover a couple issues I

ran into at the end of this video the

health check looks good let's take a

look at the computer's IP

address it's on a 10.1.0 network the

computer running the private access

connector and the web servers are on

another Azure virtual Network that's not

peered with a client Network that's a 172.16.0.0

21604 and that worked great now let's

try the second fully qualified domain

looc that worked as well that works

because we added that fully qualified

domain name as an application segment

the client passes the request to the

connector and that connector is on the

network with a DNS server that has the

private access. looc Zone let's try to

looc that fails because we didn't add

the fully qualified domain name to the

application segment but what if we don't

want to add each host in our domain we

can add an entire private DNS Zone to

the quick access application let's take

a look at that we'll go back to quick

access we can specify what DNS zones are

getting passed to the connector by going

back into the quick access this app and

from here we'll select private DNS let's

enable private

DNS and add a

suffix for this example we'll use

private access. local again there's a

DNS server in the connector Network that

has the private access. looc Zone We'll

add and

save now let's go back to the client we

need to restart the client computer or

the global secure access client on this

computer to get the new set settings let's

let's

restart let's pause here and come back

once we're logged back

in the client has been restarted let's

open the web

browser previously we couldn't get to

web 1. privata access. looc by host name

because we didn't add it as an

application segment but now any traffic

going to private access. local should

get redirected to the connector so let's

again and that works now any web

application in that zone can be accessed

through the connector as we've logged in

we haven't had to authenticate because

we signed in to a hybrid joined computer

let's revoke all sessions on the user so

we can force an MFA prompt this is just

to see what the users will experience if

they get an MFA prompt let's go to the

user in enter ID here's the user I'm

testing with and from here if we revoke all

all

sessions that will log the user out now

let's go go back to the web browser and

we're going to clear

prompt that logs Us in let's

refresh and now we get access we now

have a working example of private access

access using an IP address and fully

qualified domain name as well as a

private DNS Zone as promised let's talk

about troubleshooting and to be honest

setting up this demo didn't go smoothly

coming up are a few items I had to

address on the client to get private

access to work first restart the client

computer after installing Global secure

access and restart the computer or just

the client after making changes then

check the client status a yellow

triangle indicates a problem on the

screen are some client statuses that we

can see in the system tray if the client

indicates a problem open Advance

check this will give you an indication

of any potential problems the first

problem I ran into was the client wasn't

set to prefer ipv4 the global secure

access client doesn't support

IPv6 I Ed the registry setting provided

in the Microsoft doc and restarted the

computer that cleared the first issue

the next problem I had was resolved by

disabling quic in Microsoft

Edge once I disabled quic I was able to

connect I also found it helpful to

enable the sign out button on the

client that allowed me to sign out the

client and disable for testing I'll

leave a link to all the documents

referenced in this video below that is

how to configure entra private access

ACC and connect with the global secure

access client I hope that helps you

better understand what enter private

access is and how to deploy and use it

please don't forget to like And

Click on any text or timestamp to jump to that moment in the video

Most transcripts ready in under 5 seconds

One-Click Copy125+ LanguagesSearch ContentJump to Timestamps

Paste YouTube URL

Enter any YouTube video link to get the full transcript

Most transcripts ready in under 5 seconds

Get Our Chrome Extension

Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.

Add to Chrome — Free

Works with YouTube, Coursera, Udemy and more educational platforms

Get Instant Transcripts: Just Edit the Domain in Your Address Bar!

YouTube

←

→

↻

https://www.youtube.com/watch?v=UF8uR6Z6KLc

YoutubeToText

←

→

↻

https://youtubetotext.net/watch?v=UF8uR6Z6KLc

YouTube TranscriptPreparing your results…

YouTube Transcript:Mastering Microsoft Entra Private Access: Step-by-Step Deployment Guide