A look into Entra Private Access & Secure Service Edge

Introduction
With digital security and access management today we can look at Entra Private Access which is a product enabled by Microsofts Secure Service Edge (SSE) solution.
These technologies ensure not only the secure access of applications and data but also ensure we can monitor and supervise access. In this post we will explore these technologies a bit further, looking into their roles and functionalities.
ELI5: Secure Service Edge (SSE)
Imagine you're using a security system that's not just stuck in one place – it's everywhere you need it to be. That's what Secure Service Edge does. It's like having a security guard who can be anywhere at any time. SSE uses what we call 'edge services,' which means it operates closer to where you actually use your data, making everything faster and more secure. Sort of like how a Content Delivery Network (CDN) can deliver media to your client faster when you visit a website, it makes sure you gets sent to the closest point-of-presence (POP) server.
You know how you need a key to get into your house? SSE works similarly but it checks if you have the right key no matter where you are.
Global Secure Access Client (GSA)
Think of the Global Secure Access (GSA) client like a super-smart app on your phone or computer. Once you install it, it quietly works in the background. Every time you try to access some company published resource, it's like GSA raises its hand and says, "Hey, I need to make sure you're allowed to see this." It's a bit like showing your ID before you enter a secure building. Well, that is not entirely technically the truth, Conditional Access (CA) does that - GSA just lets you know where to go.
You can make sure everything passes through this security service which is CA. This is like a checkpoint that examines your ID (in this case, digital tokens) to confirm it's really you. And the best thing? This check happens no matter where you are, in the office or at a local coffe shop. This is a big part of shifting away from the network perimiter to the more identity-focused perimiter instead.
Integrating On-premise Systems
On-premise systems & servers are likely still a big part of your IT infrastructure – they reside within your company's physical premises and within a network that you control. Integrating these with Microsoft Entra involves deploying connectors which act as bridges between your local domain and your Entra ID environment. These connectors are installed on your servers enabling a smooth handshake between your on-site systems and Entra's cloud services.
These connectors are similar to application proxy agents in their aim to connect your environment and publish certain services. By establishing outbound connections to the Entra Edge they create a secure pathway. This means that your on-premise systems can communicate effectively with cloud-based services without the need to open any sort of communication inbound from any services residing on the internet. You just need to ensure your server which hosts the connector-agent can speak outbound on port 443 towards certain Microsoft URLs, see this
Entra Private Access is versatile. It’s designed to work seamlessly with a wide range of protocols, including TCP and/or UDP. This means whether you're dealing with printers, client computers, or SMTP servers, Entra Private Access has got you covered. It is no longer restricted to web applications that the entra app proxy agent helped you publish. You can publish a remote desktop application for instance to your management server and have that protected by MFA on the way in.
Within Entra Private Access, you can define specific settings for each application. This includes deciding which users can access a particular application and specifying the allowed communication protocols, such as TCP and/or UDP. It's like setting specific rules for who can enter certain rooms in a building and through which doors.
DNS Configuration and Resolution
How DNS is handled with Entra Private Access is very cool. The process starts with the global secure access client appending a unique identifier <GUID>.globalsecureaccess.local
to your DNS query. The GUID in this case is the application ID from Entra. This creation of a fully qualified domain name (FQDN) allows for precise identification and routing within the network.
On the client side, when a DNS query is initiated, it follows a specific policy table (NRPT - Name Resolution Policy Table). This policy adds the unique suffix to the DNS queries.
The Edge Service’s Role in DNS Resolution
Within the Edge Service, there's a dedicated DNS system. This service handles DNS resolution requests and has a cache for storing frequently accessed domain names. When a query comes in, if the information isn't in the cache, the service requests it from the on-premise DNS via the connector. Once the cache is updated with this information subsequent queries for the same resource can be resolved straight in the edge service, reducing the load on the on-premise infrastructure as it does not need to service as many DNS requests. You can configure which local DNS zones you want to integrate with in the Entra Private Access admin portal.
A unique aspect of the Private Access configuration is how the edge service handles the long GUID and local domain names. Your local domain may be localdomain.com
which of course is not routable on the internet. As the client appends the suffix to your DNS request it may look like it is headed towards myserver.<guid>.globalsecureaccess.local
which also does not make any sense as you do not have this domain in your local Active Directory DNS. So how does it know where to go?
The DNS service in the Edge strips off the <GUID.glo....
part before forwarding the query to the on-premise system. This ensures that the on-premise DNS, which isn’t aware of these extended names, can resolve the queries.
Protection with Conditional Access
A major USP for Private Access in my opinion is Conditional Access. This is the service that protects your network & applications, ensuring only authorized users gain access. CA doesn’t just look at who is trying to access a resource; it also considers how, where, and under what conditions they're trying to access it. This includes assessing user risk and sign-in risk.
- Sign-in Risk Assessment: Every sign-in attempt is reviewed to make sure it is not from an unusual location or an unsecured device.
- Multifactor Authentication: You can enfore MFA protocols which is a core feature of CA in my opinion
Conclusion
We have looked into how Entra Private Access integrates on-premise systems with cloud services, providing a bridge that helps you enforce security standards with the help on agents and connectors. Private Access is exciting as it can handle various protocols and devices, coupled with its DNS resolution mechanism making it a possible replacement for traditional VPN solutions in the future perhaps?
Aligning with the principles of Zero Trust this service focuses more on the identity of the user instead of the traditional perimiter of a corporate network.
I think embracing these technologies means we can improve organization's security posture and also ensure a flexible, user-friendly experience for accessing critical resources.
Will you be testing it out?
References


About me
