How to Configure Entra Identity Governance Features with Private Access for Jump Hosts – EMS Route - The Legend of Hanuman
copy of shehanperera.com 4

How to Configure Entra Identity Governance Features with Private Access for Jump Hosts – EMS Route

by


TL;DR: Jump Hosts – We login to Jump Hosts to then login to the servers and other apps we need to access mainly to perform admin tasks. Jump Hosts are often secured on the Network Layer and other Windows Permissions which will come into play when the admin logs in.

But what can be done before the admin logs in to the Server? This is where the Identity Layer comes into play. What if there is a Pre-login layer that can be compliant with Zero Trust? Yes, I’m talking about ZTNA—Zero-Trust Network Access.

This article will go through the steps in-order to achieve that via Entra Global Secure Access feature, Entra Private Access.

  1. Goal of the Blog Post
  2. Gone of the Traditional VPN days
  3. Other Alternatives + Risks + Failure Points
  4. Licenses
  5. Creating Entra Group for PIM
  6. Create the MFA with a Different Authentication Method in the Conditional Access Policy for PIM Elevation
    1. Create the Authentication Context
    2. Now let’s configure the CA Policy
  7. Enable Entra Private Access Traffic Forwarding Profile
  8. Configure the Private Network Connector
  9. Create the RDP Private App
  10. Create the MFA with Strong Auth for Private App Access
  11. Download and Install the GSA Client
  12. End User Experience
  13. MFA Features that can be configured
  14. Monitoring
  15. Some Tips
  16. Wrapping Up

Goal of the Blog Post

The main goal of this post is to showcase that Entra Identity Governance features such as PIM, Just In Time access, Conditional Access Policies with different Auth methods can be setup, an approver can be setup if needed and a reason for the Jump Host access needs to be added when elevating.

Gone of the Traditional VPN days

This is a problem when you need to provide someone who is working remotely. With traditional VPNs, it allows access to the designated network segment, but not to the resource. Lack of adaptive access can be tempting to a bad actor.

With Entra Private Access, If you are using the per-app-based feature, you will be able to segment the app based on IP address or FQDN. The good thing is that single-named network addresses are coming as well so basically, it doesn’t have to be FQDN all the time.

Other Alternatives + Risks + Failure Points

In today’s market there are a lot of other products that do the same, often come with a hefty price tag for licensing and heaps of configuration. because the Identity provider will be Entra ID, or Local AD the proper connections need to be made and this is another failure point, and that risk needs to be evaluated. It is ideal to explore what you have already, what the existing M365 investment provides you with etc.

Returning to the question, let’s see how to configure this.

Licenses

How good when you can work on these configurations with the existing licenses. Rather than planning to implement a different solution altogether, it would be ideal to capture them in the same ecosystem.

  • Entra ID Premium P1 or P2 for Entra Private Access, P2 for Identity Governance
  • Entra Suite

Creating Entra Group for PIM

Create the Entra Group for PIM > Go to Privileged Identity Management

image 34

Onboard the group to PIM > Enable PIM for this group

image 35

Add assignments to the users who require access to the Jump Host with the role as MemberEligible Assignments > Add assignments

image 36

And set the eligibility duration

image 37

Create the MFA with a Different Authentication Method in the Conditional Access Policy for PIM Elevation

This conditional Access policy ensures the above-created PIM elevation is guarded by MFA. Not just a normal number matching, but with a different method that can be used as an Authentication Strength so that will act as an additional layer.

For this, I’m using the FIDO2 Passkey option.

Go to Protetction > Authentication methods > Policies > Passkey (FIDO2) > Add the previously created group

image 39

Configure the FIDO2 Key

image 40

now you have the option of using the Passkey or a new Authentication Strength in the CA Policy if needed.

Create the Authentication Context

To connect the PIM elevation with the desired Conditional Access policy but not just the standard Azure MFA, you can create an Authentication Context.

Go to Protection > Conditional Access > Authentication Contexts > New Authentication Context

image 41

Configure the Conditional Access Policy

Now let’s configure the CA Policy

We are using the same PIM-enabled group created earlier.

image 42

You can add more conditions if needed. I will discuss them in general before I close off the post.

Select Authentication Context from the Target Resources and select the Context we created in the previous step.

image 44

Now in the Grant Section, select Require authentication strength and select Passkeys FIDO2

image 45

Set the policy mode to ON and Create the policy and this be activated.

Enable Entra Private Access Traffic Forwarding Profile

This is the 1st step towards enabling Entra Private Access. The eligible users/ user groups should be in the profile to get the traffic profiles enabled and the Global Secure Access client activated.

Global Secure Access > Traffic Forwarding > Private access profile

image 48

Tip: It is ideal to assign the profile to All Users to remove the confusion and save troubleshooting time.

image 47

Configure the Private Network Connector

These lightweight connectors establish a secure communication channel between your on-premises network and Azure. It is recommended to create at least 2 connectors for high availability. Further, Microsoft Entra Private Network provides single sign-on (SSO) and secure remote access for web applications hosted on-premises.

Important notes on Private Network Connectors – https://learn.microsoft.com/en-us/entra/global-secure-access/concept-connectors and working with Proxy servers https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy-configure-connectors-with-proxy-servers

Global Secure Access > Connect > Connectors > Download connector service

image 49
image 50

Once installed, it will be visible under Private Network connectors.

If you have more than one connector, create a connector group for high availability as they will be in the same region.

image 51
image 52

Create the RDP Private App

You can always add network segments in Quick Access, but for more granular access, we need to create a Private App.

Global Secure Access > Applications >Enteprise applications > New application

Select the Connector Group we created earlier and select the option Enable access with Global Secure Access client

image 54

Now in the Application segment, add the sections. I will be adding IP address, single label and FQDN. All for the same Jump Host server.

image 55

Further, you can add more protocols if needed.

image 56

Once added, press Save and the Private App will be created.

If you now go to the Enterprise applications section, the app will be visible. Note the Application type as Global Secure Access applications.

image 57

If you need to add more segments later, go to the app and go to Network access properties

Important: Make sure you add the same group you created before in the Users and Groups section of the app.

image 67

Create the MFA with Strong Auth for Private App Access

It is essential to configure the Conditional Access Policy when accessing the Private App as that will provide the true ZTNA layer.

As we did the previous Conditional Access policy, this will be assigned to the same user group we created for PIM.

image 60

Select the App we created under Target resources

image 61

Under Grant select the MFA or Authentication Strength or other restrictions as needed.

Under Session, I’m selecting every time under Sign-in frequency to make sure it needs to comply with MFA.

image 62

And that’s. it. Set the policy to ON and Create.

Download and Install the GSA Client

GSA client needs to be installed on the user’s device in order to access the tunneled Private Apps. this will be a part of the latest Windows 11 builds so not required to install in the future. Basically, this client will reflect the Traffic Forwarding profile and application segments on the user endpoint.

Global Secure Access > Connect > Client download

Download the appropriate client. You can use Microsoft Intune to install the app on the endpoints.

image 58

If you head to the client device > Go to Advanced Diagnostics > Forwarding profile > Private access rules, you will see the received network rules as below.

This will be updated frequently so the latest config will be received by the client device always.

Note the destinations with the action Bypass. They will be required to access the GSA endpoints to make sure the tunneling is configured to the given Private Apps.

image 59

End User Experience

In a nutshell, the below diagram will be applied when the user needs to login to the Private App.

image 66

Adding the user to PIM enabled group.

Without PIM Elevation users will not be added to the required group and they will get the below screen.

image 27

Once they submit the reason and go through the elevation process, the user will be added to the group.

image 32

Group membership as below.

image 63

Now when the user tries to login to the Jump host, they will receive the below popup

image 11

User will have to sign in and the 2nd Conditional Access Policy will come into play. As we configured FIDO2 Passkey for this too, it will go through the below process before allowing access.

image 18

And when the user tries to login, they will be presented with the standard RDP login prompt.

image 65

Users will be able to access the Jump Host during the time window configured in the PIM group and need to re-elevate access when initial access expires.

MFA Features that can be configured

Device filters such as only granting access for the devices that are Entra Joined or Entra Hybrid joined can further narrow down access, and also bringing in the Compliance policies into the Conditional Access Policy will make sure the connecting endpoint is fully trusted.

Monitoring

If you head to the Monitoring tab in GSA, you will see the rich list of logs and workbooks that can be helpful when it comes to Private Access monitoring and troubleshooting.

image 68
image 69

Some Tips

  • If the users or the groups are not assigned to the Traffic Forwarding profile, the GSA client will not connect and will show the below error.
image 10
  • Its wise to setup a different authentication method such as a phishing-resistant method when authentication for the app as jump hosts can be critical depending on the services it has access to.

Wrapping Up

As I mentioned at the start, it is always wise to find out what your existing investment (M365 license in this case) can do for you before exploring the market for 3rd party products which at the end of the day does the same thing with an extra licensing cost, admin overhead and configuration requirements.

Discover more from EMS Route

Subscribe to get the latest posts sent to your email.


Share this content:

I am a passionate blogger with extensive experience in web design. As a seasoned YouTube SEO expert, I have helped numerous creators optimize their content for maximum visibility.

Contact

Leave a Comment