https://github.com/compcode1/entra-private-access-internal-app
This project configures Entra Private Access to securely route traffic to an internal line-of-business (LOB) application without exposing it to the internet.
https://github.com/compcode1/entra-private-access-internal-app
app-routing conditional-access forwarding-profiles gsa zero-trust
Last synced: 4 months ago
JSON representation
This project configures Entra Private Access to securely route traffic to an internal line-of-business (LOB) application without exposing it to the internet.
- Host: GitHub
- URL: https://github.com/compcode1/entra-private-access-internal-app
- Owner: Compcode1
- License: mit
- Created: 2025-08-23T20:19:30.000Z (5 months ago)
- Default Branch: main
- Last Pushed: 2025-08-23T20:32:25.000Z (5 months ago)
- Last Synced: 2025-08-24T08:28:31.874Z (5 months ago)
- Topics: app-routing, conditional-access, forwarding-profiles, gsa, zero-trust
- Language: Jupyter Notebook
- Homepage:
- Size: 6.84 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
β
Project 7 β Configure Entra Private Access for Internal App
π Overview
This project configures Entra Private Access to securely route traffic to an internal line-of-business (LOB) application without exposing it to the internet. Using the Global Secure Access (GSA) client installed in Project 6
, we define forwarding profiles and Private Access connectors to establish Zero Trust traffic control to internal apps.
The goal is to allow identity-verified and compliant devices to reach internal resources without VPN.
π§ Scenario
Your org hosts a legacy intranet app at intranet.corp.local, accessible only inside your datacenter or private network. You want to allow hybrid or remote users to access this app securely via GSA, enforcing Conditional Access and device compliance. No public exposure or VPN configuration is allowed.
π¦ Step-by-Step Configuration Flow (Simulated)
1. Register internal app in Microsoft Entra
Go to Microsoft Entra Admin Center β Applications β Enterprise applications
Click + New application
Select On-premises application β Name: Corp Intranet App
Register it with the internal FQDN: intranet.corp.local
2. Deploy a Private Access Connector
Go to Global Secure Access Admin Center
Select Private Access β Connectors
Click + Add connector
Name: PA-Connector-East
Location: Choose local datacenter or region
Download and install the connector on a server with access to intranet.corp.local
Ensure connector registration succeeds
3. Create Forwarding Profile
Navigate to Forwarding profiles
Click + Create
Name: Route-Intranet-App
Match rule: FQDN = intranet.corp.local
Action: Route via Private Access
4. Define Traffic Policy
Go to Traffic forwarding policies
Create policy:
Target: Corp Intranet App
Route via: Private Access
Require: Hybrid Azure AD joined AND compliant device
Assign to: Device group Windows β Corp Devices
π Terminology Clarification
Term Clarified Definition
Private Access GSA routing path that enables secure access to private/internal resources
Connector A lightweight agent deployed in your datacenter or private cloud that relays GSA traffic to internal apps
Forwarding Profile Rule that decides which domains/IPs to route through GSA
Traffic Policy Defines Conditional Access enforcement and user/device requirements for allowed GSA traffic
β
Result
Authenticated, compliant devices can now access intranet.corp.local through the GSA Private Access tunnel
Traffic is not exposed publicly and flows through Microsoftβs edge network
Conditional Access governs access decisions based on identity, compliance, and location
π§ Entra Control Stack Mapping
Layer Status Explanation
Layer 1 β Authority Definition β
Applied Admins need appropriate roles in both Entra and GSA Admin Center
Layer 2 β Scope Boundaries β
Defined Traffic scope is tightly bound to intranet.corp.local only
Layer 3 β Test Identity Validation β
Confirmed Test user validated successful Conditional Access + routing
Layer 4 β External Entry Controls β
Activated No external exposure β enforced through Private Access only
Layer 5 β Privilege Channels β
Structured Role-based deployment of connectors and traffic rules
Layer 6 β Device Trust Enforcement β
Enforced Devices must be compliant and hybrid joined
Layer 7 β Continuous Verification β
Supported Logs from GSA, Entra, and Intune confirm access decisions
π Observations and Lessons Learned
Connector placement is critical β it must reach the target app internally
Avoid wildcard FQDN matches in forwarding profiles; keep scope narrow
Conditional Access must be tested to prevent over-blocking or excessive prompts
Logs from the GSA Portal and Sign-in logs in Entra provide visibility
π Project Status
β
Completed β successfully simulated Entra Private Access configuration to enable Zero Trust access to internal apps
π Next: Project 8 β Configure Entra Internet Access for SaaS Control
(placeholder link)