Microsoft Entra brings identity-centric Zero Trust access controls to the heart of your on-premises infrastructure: your domain controllers.
Microsoft Entra Private Access for Active Directory Domain Controllers is now in Public Preview. As part of Microsoft’s Security Service Edge (SSE), this feature lets organizations use Conditional Access and multi-factor authentication (MFA) for internal resources that authenticate through Kerberos, managed via Global Secure Access.
Enforcing controls on the domain controller secures on-premises resources through dual-layer, identity-focused Zero Trust protection—covering both user and domain controller access, even for users on site.
Seamlessly enforce identity controls across hybrid environments
Microsoft Entra Private Access for Active Directory Domain Controllers enhances Zero Trust access controls for on-premises resources through the deployment of the Private Access sensor, a lightweight agent installed on domain controllers. By intercepting Kerberos authentication and implementing Conditional Access policies—even for protocols that do not inherently support modern identity controls—Private Access eliminates implicit trust within the network perimeter. This approach ensures consistent security across remote, on-premises, and hybrid environments while preserving a seamless experience for users.
Legacy applications and infrastructure in hybrid environments can use modern identity protections without needing changes to code or hardware. For on-premises users, application traffic stays local to maintain performance, while authentication traffic is sent to Entra for policy evaluation, supporting consistent enforcement across the security perimeter.
This also unlocks a significant opportunity to enable Identity Threat Detection and Response (ITDR) for hybrid users: verifying every access request, blocking lateral movement, and enforcing Conditional Access policies like multi-factor authentication (MFA) at the domain controller layer when on-premises applications are accessed locally.
Enforce identity-centric Zero Trust access controls on domain controllers.
Built for hybrid work: Consistent Zero Trust Network Access (ZTNA)
Microsoft Entra Private Access delivers consistent identity and network security controls across on-premises, remote, and hybrid environments. Every authentication request to domain authenticated resources is validated against Conditional Access policies, replacing perimeter-based trust with continuous verification, regardless of user location.
Identity centric Zero Trust for every resource
Microsoft Entra Private Access enhances ZTNA by adding identity-based controls for essential on-premises resources. Admins can set detailed SPN-level policies, such as requiring MFA for cifs/* file shares, enabling compliant device access to MSSQL/* servers, and applying step-up authentication for sensitive RDP servers. This allows for precise risk-based segmentation and tailored service access.
Seamless experience, powerful control
The administration interface is consolidated within the Microsoft Entra admin center under Global Secure Access, providing a unified platform to register domain controllers, configure application segments (SPNs), and assign Conditional Access policies. Policies are distributed dynamically to Private Access sensors without requiring restarts, ensuring efficient and consistent enforcement.
This architecture also helps block lateral movement in nested Remote Desktop Protocol (RDP) sessions (such as RDP launched from within an RDP session), one of the most common lateral movement vectors, without deploying costly on-premises appliances or routing application data through the cloud.
Built-in resilience and flexibility
Microsoft Entra Private Access for Domain Controllers includes features to support phased rollouts and complex environments:
- Audit Mode: Preview enforcement impact before going live
- SPN Exclusions: Onboard legacy systems gradually
- Unmanaged Device Blocking: Restrict access to approved endpoints
- Break Glass Mode: Emergency bypass for critical infrastructure
These controls help teams deploy confidently without disrupting operations.
Why it stands out
Microsoft Entra Private Access for Domain Controllers delivers on-premises MFA enforcement without third-party hardware or complex network changes. Lightweight sensors intercept Kerberos authentication and enforce Conditional Access—even for legacy apps.
This identity-centric ZTNA model enhances lateral movement protection with fresh authentication for each sensitive resource and granular, per-resource access control, managed in the Entra portal. It modernizes on-premises security for hybrid work and ITDR without network re-architecture, offering detailed control, visibility, and enforcement integrated with current identity infrastructure.
Get started today
Begin testing by deploying the Private Access sensor and configuring policies. For setup guidance, see the Microsoft Learn configuration guide.
-Ashish Jain
Additional resources
- Visit the Microsoft Entra Suite trial page to get started.
- Learn how to configure Private Access for domain controllers in Microsoft Entra.
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
- Microsoft Entra News and Insights | Microsoft Security Blog
- Microsoft Entra blog | Tech Community
- Microsoft Entra documentation | Microsoft Learn
- Microsoft Entra discussions | Microsoft Community
Microsoft
