Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
Microsoft Entra Private Access for on-prem users
Published May 16 2024 09:00 AM 28.1K Views

The emergence of cloud technology and the hybrid work model, along with the rapidly increasing intensity and sophistication of cyber threats, are significantly reshaping the work landscape. As organizational boundaries become increasingly blurred, private applications and resources that were once secure for authenticated users are now vulnerable to intrusion from compromised systems and users. When users connect to a corporate network through a traditional virtual private network (VPN), they’re granted extensive access to the entire network, which potentially poses significant security risks. These challenges have introduced new demands that traditional network security approaches struggle to meet. Even Gartner predicts that by 2025, at least 70% of new remote access deployments will be served predominantly by ZTNA as opposed to VPN services, up from less than 10% at the end of 2021.


Microsoft Entra Private Access, part of Microsoft’s Security Service Edge (SSE) solution, securely connects users to any private resource and application, reducing the operational complexity and risk of legacy VPNs. It enhances the security posture of your organization by eliminating excessive access and preventing lateral movement. As traditional VPN enterprise protections continue to wane, Private Access improves a user’s ability to connect securely to private applications easily from any device and any network—whether they are working at home, remotely, or in their corporate office. 


Enable secure access to private apps that use Domain Controller for authentication 


With Private Access (Preview), you can now implement granular app segmentation and enforce multifactor authentication (MFA) on any on-premises resource authenticating to domain controller (DC) for on-premises users, across all devices and protocols without granting full network access. You can also protect your DCs from identity threats and prevent unauthorized access by simply enabling privileged access to the DCs by enforcing MFA and Privileged Identity Management (PIM). 


To enhance your security posture and minimize the attack surface, it’s crucial to implement robust Conditional Access controls, such as MFA, across all private resources and applications including legacy or proprietary applications that may not support modern auth. By doing so, you can safeguard your DCs—the heart of your network infrastructure.


A closer look at the mechanics of Private Access for on-prem user scenario


Here’s how Private Access helps secure access to on-prem resources and applications and provides a seamless way for employees to access the on-premises resources when they’re locally accessing these resources, while ensuring the security of the company's critical services. Imagine a scenario where an employee is working on-premises at their company's headquarters. They need to access the company's DCs to retrieve some important information for their project or make some changes. However, when they try to access the DC directly, they find that access is blocked. This is because the company has enabled privileged access, which restricts direct access to the DC for security reasons. 


Instead of accessing the DC directly, the employee's traffic is intercepted by the Global Secure Access Client and routed to the Microsoft Entra ID and Private Access Cloud for authentication. This ensures that only authorized users can access the DC and its resources.


When the employee attempts to access the private resources they need, they’re prompted to authenticate using MFA. This additional layer of security ensures that only legitimate users can gain entry to the DC. Private Access also extends MFA to all on-premises resources, even those that lack built-in MFA support. This means that even legacy applications can benefit from the added security of MFA. With Private Access, the company has also enabled granular app segmentation, which allows them to segment access to specific applications or resources within their on-premises environment. This means that the employee can only interact with the services they’re authorized to access, ensuring the security of critical services.


Despite these added security measures, the employee's user experience remains seamless. Only authentication traffic leaves the corporate network, while application traffic remains local within the corporate network. This minimizes latency and ensures that the employee can access the information they need quickly and efficiently.


Figure 1: Private Access enforces flexible MFA to on-prem resources for on-prem users, strengthening your security posture and minimizing your attack surface.Figure 1: Private Access enforces flexible MFA to on-prem resources for on-prem users, strengthening your security posture and minimizing your attack surface.


Key benefits: Elevate network access security to on-premises resources with Private Access


Organizations seeking to enhance the security of their on-premises resources and protect their critical assets, including DCs, against identity threats can benefit from the key capabilities provided by Private Access—in preview. With Private Access, organizations can enable granular segmented access and extend Conditional Access controls to all their private applications. 


Private Access allows for the implementation of MFA for private apps that use DC for authentication, adding an extra layer of security to prevent unauthorized access and reduce identity-related risks. By enabling granular segmented access policies for individual applications or groups, organizations can ensure that only authorized users interact with critical resources and services. Additionally, Private Access extends Conditional Access controls to all private resources, even those relying on legacy protocols, allowing organizations to consider factors such as application sensitivity, user risk, and network compliance when enforcing modern authentication methods across their entire environment.




Private Access provides granular access controls on all private applications for any user- on-premises or remote while bridging the gap between legacy applications and modern security practices. The capabilities of Private Access provide new tools to confidently enable secure access to private apps that use DC for authentication and navigate the complex landscape of modern authentication and access controls. 


Explore the future of secure access today by joining Microsoft Entra Private Access in preview and stay ahead of evolving security challenges.


To learn more, watch “Announcing new capabilities to protect on-premises resources with MFA via Microsoft Entra Private Ac...” for a closer look into how these new capabilities work.   



Read more on this topic


Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

Version history
Last update:
‎May 13 2024 12:56 PM
Updated by: