{"id":31079735,"url":"https://github.com/compcode1/entra-private-access-internal-app","last_synced_at":"2025-09-16T10:59:20.070Z","repository":{"id":311337682,"uuid":"1043421599","full_name":"Compcode1/entra-private-access-internal-app","owner":"Compcode1","description":"This project configures Entra Private Access to securely route traffic to an internal line-of-business (LOB) application without exposing it to the internet. ","archived":false,"fork":false,"pushed_at":"2025-08-23T20:32:25.000Z","size":7,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-24T08:28:31.874Z","etag":null,"topics":["app-routing","conditional-access","forwarding-profiles","gsa","zero-trust"],"latest_commit_sha":null,"homepage":"","language":"Jupyter Notebook","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Compcode1.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-08-23T20:19:30.000Z","updated_at":"2025-08-23T20:35:09.000Z","dependencies_parsed_at":"2025-08-24T09:02:59.491Z","dependency_job_id":"b584acc9-dfbf-4ab4-9a4e-f211a0e300ac","html_url":"https://github.com/Compcode1/entra-private-access-internal-app","commit_stats":null,"previous_names":["compcode1/entra-private-access-internal-app"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/Compcode1/entra-private-access-internal-app","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fentra-private-access-internal-app","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fentra-private-access-internal-app/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fentra-private-access-internal-app/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fentra-private-access-internal-app/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Compcode1","download_url":"https://codeload.github.com/Compcode1/entra-private-access-internal-app/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fentra-private-access-internal-app/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":275407720,"owners_count":25459379,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-16T02:00:10.229Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["app-routing","conditional-access","forwarding-profiles","gsa","zero-trust"],"created_at":"2025-09-16T10:59:17.717Z","updated_at":"2025-09-16T10:59:20.054Z","avatar_url":"https://github.com/Compcode1.png","language":"Jupyter Notebook","readme":"✅ Project 7 – Configure Entra Private Access for Internal App\n📘 Overview\n\nThis project configures Entra Private Access to securely route traffic to an internal line-of-business (LOB) application without exposing it to the internet. Using the Global Secure Access (GSA) client installed in Project 6\n, we define forwarding profiles and Private Access connectors to establish Zero Trust traffic control to internal apps.\n\nThe goal is to allow identity-verified and compliant devices to reach internal resources without VPN.\n\n🔧 Scenario\n\nYour org hosts a legacy intranet app at intranet.corp.local, accessible only inside your datacenter or private network. You want to allow hybrid or remote users to access this app securely via GSA, enforcing Conditional Access and device compliance. No public exposure or VPN configuration is allowed.\n\n🚦 Step-by-Step Configuration Flow (Simulated)\n1. Register internal app in Microsoft Entra\n\nGo to Microsoft Entra Admin Center → Applications → Enterprise applications\n\nClick + New application\n\nSelect On-premises application → Name: Corp Intranet App\n\nRegister it with the internal FQDN: intranet.corp.local\n\n2. Deploy a Private Access Connector\n\nGo to Global Secure Access Admin Center\n\nSelect Private Access → Connectors\n\nClick + Add connector\n\nName: PA-Connector-East\n\nLocation: Choose local datacenter or region\n\nDownload and install the connector on a server with access to intranet.corp.local\n\nEnsure connector registration succeeds\n\n3. Create Forwarding Profile\n\nNavigate to Forwarding profiles\n\nClick + Create\n\nName: Route-Intranet-App\n\nMatch rule: FQDN = intranet.corp.local\n\nAction: Route via Private Access\n\n4. Define Traffic Policy\n\nGo to Traffic forwarding policies\n\nCreate policy:\n\nTarget: Corp Intranet App\n\nRoute via: Private Access\n\nRequire: Hybrid Azure AD joined AND compliant device\n\nAssign to: Device group Windows – Corp Devices\n\n📘 Terminology Clarification\nTerm\tClarified Definition\nPrivate Access\tGSA routing path that enables secure access to private/internal resources\nConnector\tA lightweight agent deployed in your datacenter or private cloud that relays GSA traffic to internal apps\nForwarding Profile\tRule that decides which domains/IPs to route through GSA\nTraffic Policy\tDefines Conditional Access enforcement and user/device requirements for allowed GSA traffic\n✅ Result\n\nAuthenticated, compliant devices can now access intranet.corp.local through the GSA Private Access tunnel\n\nTraffic is not exposed publicly and flows through Microsoft’s edge network\n\nConditional Access governs access decisions based on identity, compliance, and location\n\n🧭 Entra Control Stack Mapping\nLayer\tStatus\tExplanation\nLayer 1 – Authority Definition\t✅ Applied\tAdmins need appropriate roles in both Entra and GSA Admin Center\nLayer 2 – Scope Boundaries\t✅ Defined\tTraffic scope is tightly bound to intranet.corp.local only\nLayer 3 – Test Identity Validation\t✅ Confirmed\tTest user validated successful Conditional Access + routing\nLayer 4 – External Entry Controls\t✅ Activated\tNo external exposure — enforced through Private Access only\nLayer 5 – Privilege Channels\t✅ Structured\tRole-based deployment of connectors and traffic rules\nLayer 6 – Device Trust Enforcement\t✅ Enforced\tDevices must be compliant and hybrid joined\nLayer 7 – Continuous Verification\t✅ Supported\tLogs from GSA, Entra, and Intune confirm access decisions\n📝 Observations and Lessons Learned\n\nConnector placement is critical — it must reach the target app internally\n\nAvoid wildcard FQDN matches in forwarding profiles; keep scope narrow\n\nConditional Access must be tested to prevent over-blocking or excessive prompts\n\nLogs from the GSA Portal and Sign-in logs in Entra provide visibility\n\n📌 Project Status\n\n✅ Completed — successfully simulated Entra Private Access configuration to enable Zero Trust access to internal apps\n\n🔜 Next: Project 8 – Configure Entra Internet Access for SaaS Control\n (placeholder link)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcompcode1%2Fentra-private-access-internal-app","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcompcode1%2Fentra-private-access-internal-app","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcompcode1%2Fentra-private-access-internal-app/lists"}