Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.
Share:
Video Transcript
Video Summary
Summary
Core Theme
This video demonstrates how to configure Microsoft Entra Private Access to provide granular, secure access to non-web applications (like RDP and SMB shares) by creating distinct Enterprise Applications, each with specific user assignments and Conditional Access policies.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
in this video we create Global secure
access applications with different
security settings for enter private [Music]
access hello everyone I'm Travis and
this is rdos I'm recording from a
temporary but warmer location while I'm
on the road in this video we're going to
create Global secure access applications
for enter private access with different
security settings before that please
like subscribe and share with a friend
click the Bell icon for notifications of
new cont content and check out my
courses on Azure virtual Desktop Windows
365 with InTune management hybrid
identities with Windows ad and entry ID
and my latest course a beginners guide
to the a900 available at UD me.com links
are below and thank you channel members
your support is appreciated in the last
video we configured enter private access
with a connector and the quick access
application the quick access application
is f for many use cases but the
applications and security settings are
shared for all users we can't force MFA
for one group and bypass it for another
or allow access to an application
segment for one user but not for another
with quick access we're picking up where
the last video left off in creating
Global secure access Enterprise
applications we could use these to
provide limited access and apply
different C conditional access policies
per each application something worth
pointing out in the context of private
access an application segment refers to
each application a user has access to
through priv private access and the
global secure access app a private
access Global secure access application
refers to an Enterprise application that
controls access to one or more
application segments we apply security
settings to the Enterprise application
and that applies to all application
segments in the Enterprise app the demo
coming up will create two Global secure
access apps each will have a different
user assigned to the app with different
conditional access policies the examples
will show how to configure one applic
that allows remote access to a server
over RDP and the second that provides
access to a Windows file share each with
different user access and conditional
access policies the goal is to
demonstrate access to non web-based
applications over private access with a
global secure access client let's jump
into the enter portal to get started
here we are in the enter portal at
enter. microsoft.com as already stated
if you haven't configured enter private
access check out my previous video that
walks through the initial configuration
this video picks up where that one left
off before we start I have to show one
change from the original configuration
when I tested this demo I ran into an
issue with a second user the global
secure access client showed Global
secure access disabled by the
organization and the health check showed
break glass mode enabled this was
resolved by going to traffic forwarding
in the global secure access client under
connect and find the private access rule
user and group
assignments and update this to assign to
all users from there restart the client
VM and wait about 10 minutes that
cleared up the issue let's move on by
updating our connectors if we go to
connectors under
connect there's a default connector
group new connectors are added to the
default group I suggest not assigning
the default group to any application
there could be an issue if an
application on one network uses the
default connector and a new connector
for a different network is added to the
group it could lead to connectivity
issues the default group acts as a
stageing area for new connectors I don't
like that we name the group quick access
group in the last video a connector
group defines a network boundary we
don't need a group for each application
also a connector can only be Associated
to one connector group but a connector
group can be used with multiple
applications for deployments with
multiple applications it makes more
sense to give the connector group a name
that defines the network it's connected
to select the
connector and we'll update the name
Network one for this example we'll
save we'll close that and now our
connector group name has been updated
now that we have the connector group
updated let's move on to adding our
application the goal of this application
is to allow our test user test user one
to connect over RDP to the web and DNS
server web 1. private access. looc go to
Applications and Enterprise
applications from here we'll add an
application give it a name RDP access
for this example select the network one
connector group we get a message that
suggests using multiple connectors it's
a good suggestion that I won't follow
because this is a lab leave enable
access with global secure access client
enabled and add an application
segment we'll use the fully qualified
domain name for this example in the lab
the server we're connecting to is web 1.
privata access.
looc the RDP Port is
3389 we'll leave the protocol set to TCP
and apply and then
save that's Sav let's go back to Enterprise
Enterprise
applications and there it is we now have
our Enterprise application
next we'll configure access to the RDP
application let's open the
app and go to users and groups we'll add
a user or group it shows an unselected
let's select a user or group locate your
user or group this example we'll use
test user one we'll select in production
it would make more sense to use groups
of users if using groups only users
directly added to the group will have
access users in nested groups won't have
access we'll
assign that gives the user a group
access next we'll create a conditional
access policy for the application let's
go to conditional
access it shows the MFA policies that
already apply let's open
one this policy applies to specific
users and all
resources that includes the Enterprise
application we just created
let's go back to our
application and under conditional access
we'll create a new
policy give it a name RDP app policy for
this example go to
groups you may select all users in
production for this example though it's
limited to just one
user we'll select go to Target
resources it applies to our Target
resources the Enterprise application
we're creating let's go to
conditions the idea is we could create a
different policy for different users and
applications if we wanted to exclude a
trusted network from this policy so
users aren't required to use MFA when
logging in from a trusted Network for
example we could create that with a
policy with those settings let's disable
that and go to
Grant we'll select require MFA
select you can enable report only for
testing this example will enable the
create now CHS that that policy applies
to the application as well let's log
into the windows 11 client for
testing this is a workstation enter
hybrid join to the tenant with the
global secure access client installed
it's on a different virtual network from
the server we're connecting to and
there's no peering between them let's
verify that client's
connected that looks good let's open up
client the server we're connecting to
and the one that was targeted with the
application segment is web 1. private
connect that looks good we'll give it
it connected that looks good this means
our Enterprise application is working
with the global secure Client app we
didn't get the MFA prompt let's log off
again let's log the user off from all
sessions so we know it's not using cache
credentials find the user and enter ID
and revoke all
sessions when once that's revoked we'll
go back to our Windows 11 session from
our client let's try to connect to that
again this time we get the global secure
access client login
prompt the RDP client did time out let's
connects we're dealing with two
authentications the first was
authenticating with our test user
account to the tenant that's needed for
the global secure access connection the
second is the local computer
authentication great that means our
first application works we can also
review The Connection by going back to
the enter of
access and traffic
logs here's a list of all of our traffic
logs if we open one that matches our
user and
destination it displays information
including the destination fully
qualified domain name port client OS and
so on let's move on to the next
application the goal of the second
application is to allow a user to
connect to a network share over the
private access connection we'll go to Enterprise
Enterprise
applications add our second
application give it a name SMB access
for this example select our connector
group network one for this example leave
enable access with global secure access
client checked and add an application
segment we'll use the fully qualified domain
domain
name in this lab the server work
connecting to is web 2. privata access.
looc the port for SMB is
445 and we'll leave the protocol set to
TCP then
save that's saved let's go back to Enterprise
Enterprise
applications and there it is now we have
our SMB access Enterprise application
next let's open the
application and go to uses and
groups from here we'll add a user or
group none are selected let's select a user
user
group locate your user a group this
example we'll use test user
2 we'll
select and assign that user in
production we'd probably use a group
instead of a specific user but for this
example because I'm demonstrating
different access for different
applications I'm just going to use a
user next we'll create a condition
access policy for the application let's
go to conditional
access again this is a list of the MFA
policies that I'll already apply we'll
create a new
one give it a name SMB app policy for
this example go to
users we'll select users and
groups and users from here we'll select
the user or group we want this
conditional access policy to apply to
for this example it's just our test two
user we'll select that go to Target
resource it applies to our Target
resource the SMB access Enterprise
application we just created let's go to
Grant and we'll select require
MFA select and just like before you can
select report only if you want a test
first this example I'll enable
it and create that creates our SMB
access Enterprise application assigns
users in groups and sets the conditional
access policy Let's test it next let's
log into a different Windows 11 computer
with the test user we configured for
Access I recommend restarting the client
computer first so the global secure
access client updates with the latest
configuration you could also restart the
client let's verify the client's
connected that looks good let's open up file
file
explorer and we'll browse to the server and
and
share in this environment the login for
the global secure access is different
from the resource we're connecting to
that's because the resource the SM SMB
domain and that connected we can create
a new
file that's great that means our
Enterprise application is working with a
global secure access client for
something other than a port 80 website
an SMB share for this example for the
sake of testing let's try to connect
with RDP to the web one server remember
test user one was assigned to the
Enterprise application for RDP access to
web 1 not test user 2 the user we're
logged into let's close this and open
the RDP
client and we'll try to connect to web
it gives us an MFA
prompt and it gives us a message that
we're not allowed to connect that's
great the Enterprise application for RDP
access is working exactly the way we
configured it it's blocking access to
users who weren't assigned and it's
giving us a detailed description of why
it's not working that is how to create
Enterprise applications and enter
private access with different
application segments users of groups and
conditional access settings that is how
to create global mobile secure access
applications in entra private access
please don't forget to like And
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
