New Blog | Microsoft Entra Private Access for on-prem users


By Ashish Jain


The emergence of cloud technology and the hybrid work model, along with the rapidly increasing intensity and sophistication of cyber threats, are significantly reshaping the work landscape. As organizational boundaries become increasingly blurred, private applications and resources that were once secure for authenticated users are now vulnerable to intrusion from compromised systems and users. When users connect to a corporate network through a traditional virtual private network (VPN), they’re granted extensive access to the entire network, which potentially poses significant security risks. These challenges have introduced new demands that traditional network security approaches struggle to meet. Even Gartner predicts that by 2025, at least 70% of new remote access deployments will be served predominantly by ZTNA as opposed to VPN services, up from less than 10% at the end of 2021.


Microsoft Entra Private Access, part of Microsoft’s Security Service Edge (SSE) solution, securely connects users to any private resource and application, reducing the operational complexity and risk of legacy VPNs. It enhances the security posture of your organization by eliminating excessive access and preventing lateral movement. As traditional VPN enterprise protections continue to wane, Private Access improves a user’s ability to connect securely to private applications easily from any device and any network—whether they are working at home, remotely, or in their corporate office. 


Enable secure access to private apps that use Domain Controller for authentication 


With Private Access (Preview), you can now implement granular app segmentation and enforce multifactor authentication (MFA) on any on-premises resource authenticating to domain controller (DC) for on-premises users, across all devices and protocols without granting full network access. You can also protect your DCs from identity threats and prevent unauthorized access by simply enabling privileged access to the DCs by enforcing MFA and Privileged Identity Management (PIM). 


To enhance your security posture and minimize the attack surface, it’s crucial to implement robust Conditional Access controls, such as MFA, across all private resources and applications including legacy or proprietary applications that may not support modern auth. By doing so, you can safeguard your DCs—the heart of your network infrastructure.


A closer look at the mechanics of Private Access for on-prem user scenario


Here’s how Private Access helps secure access to on-prem resources and applications and provides a seamless way for employees to access the on-premises resources when they’re locally accessing these resources, while ensuring the security of the company's critical services. Imagine a scenario where an employee is working on-premises at their company's headquarters. They need to access the company's DCs to retrieve some important information for their project or make some changes. However, when they try to access the DC directly, they find that access is blocked. This is because the company has enabled privileged access, which restricts direct access to the DC for security reasons. 


Instead of accessing the DC directly, the employee's traffic is intercepted by the Global Secure Access Client and routed to the Microsoft Entra ID and Private Access Cloud for authentication. This ensures that only authorized users can access the DC and its resources.


When the employee attempts to access the private resources they need, they’re prompted to authenticate using MFA. This additional layer of security ensures that only legitimate users can gain entry to the DC. Private Access also extends MFA to all on-premises resources, even those that lack built-in MFA support. This means that even legacy applications can benefit from the added security of MFA. With Private Access, the company has also enabled granular app segmentation, which allows them to segment access to specific applications or resources within their on-premises environment. This means that the employee can only interact with the services they’re authorized to access, ensuring the security of critical services.


Despite these added security measures, the employee's user experience remains seamless. Only authentication traffic leaves the corporate network, while application traffic remains local within the corporate network. This minimizes latency and ensures that the employee can access the information they need quickly and efficiently.




Read the full post here: Microsoft Entra Private Access for on-prem users

0 Replies