Last year (2023) Microsoft announced Global Secure Access (SSE). This is the unifying term used for both Microsoft Entra Internet Access and Microsoft Entra Private Access. Internet Access is meant for Microsoft 365 services, Cloud and SaaS services. Private Access is meant for secure connections to resources in your own private infrastructure. Where you normally would use a VPN for this, we can now use Microsoft Entra Private Access.
Note: Keep in mind that this product is currently in preview! Use it at your own risk when implementing in production environments!
Today’s blog will show you how to implement Microsoft Entra Private Access for your AVD’s (Azure Virtual Desktop’s). We’re using a Modern Workplace device (Entra ID Joined, Intune managed) to connect to the AVD environment via their internal IP address. There are no VPN connections to the Azure infrastructure available. All is done via Microsoft Entra Private Access. We assume your AVD environment is already up and running. Setting up AVD is not demonstrated here!
Requirements
Using Global Secure Access (Preview) requires an Entra ID P1 license for every user who benefits from the service. This license requirement could change during the development process.
To implement Global Secure Access, you need at least the Global Secure Access Administrator role.
Get started with Global Secure Access
Microsoft documented this process very nicely here. I’ll show you my own steps which is based on the Microsoft docs.
1: Go to https://entra.microsoft.com -> Global Secure Access (Preview)
2: Activate Global Secure Access by clicking the Activate button
Source: Get started with Global Secure Access (preview) – Global Secure Access | Microsoft Learn
Install the Connector Service
First, we need to install the connector service. This is some kind of a proxy within your infrastructure. This service needs to be installed on a Windows Server which can interact with the resources you want to reach in the end.
In my case I’m running a simple Windows Server 2022 Virtual Machine in Azure. This machine is using the same VNET as my Azure Virtual Desktops. When running a server in a different VNET you might need VNET-peering to make it possible.
3: Go to https://entra.microsoft.com -> Global Secure Access (preview) -> Connect -> Connectors -> Download connector service -> Accept terms & Download.
4: Install the connector by following the installation wizard. This is basically a next next finish setup. In the end it asks you to authenticate with a Global Administrator.
5: Verify that the connector is active. In this case the default Connector Group is fine.
Configure Quick Access
6: Go to https://entra.microsoft.com -> Global Secure Access (preview) -> Applications -> Enterprise applications -> New application.
Create a new application and give it a common name. Make sure to enable Enable access with Global Secure Access client. Click Save.
7: Refresh the page once the application is created. You will now see your recently created Enterprise Application.
8: Open the Enterprise Application -> Assign specific users or groups who should be able to access the application via the Global Secure Access proxy.
9: Go to https://entra.microsoft.com -> Global Secure Access (preview) -> Applications -> Enterprise applications -> Pick the just created Enterprise Application -> Network access properties -> Add application segment
Pick one of the following destination types:
- IP address (single)
- Fully qualified domain name
- IP address range (CIDR)
- IP address range (IP to IP)
The one you need depends completely on your own infrastructure. In my test situation i only have a single Azure Virtual Desktop machine running. In this case i can pick a single IP address and port. In a larger infrastructure you might need a CIDR, FQDN or IP to IP range.
Note: In a larger environment you would like to use the AVD services. For example the gateway which comes with the AVD environment. This is not included in this blog (yet). We’re simply connecting to a single server over RDP.
Source: How to configure Quick Access for Global Secure Access – Global Secure Access | Microsoft Learn
Enable Microsoft Entra Private Access
10: Go to https://entra.microsoft.com -> Global Secure Access (preview) -> Connect -> Traffic forwarding -> Select the checkbox for Private access profile.
Verify that the application you recently created is shown under Private access policies -> View button.
Source: How to configure Quick Access for Global Secure Access – Global Secure Access | Microsoft Learn
Install the Global Secure Access client for Windows
On your endpoints we need to install the Global Secure Access client for Windows. In this case we use Intune to deploy the Win32 Intunewin package.
I Assume everyone reading this post is well known with creating Intune Win32 Packages. Therefor i won’t demonstrate step by step what to do.
Note: Make sure you download the latest IntuneWinAppUtil.exe from this Github repo before creating the package: microsoft/Microsoft-Win32-Content-Prep-Tool: A tool to wrap Win32 App and then it can be uploaded to Intune (github.com)
11: Go to https://entra.microsoft.com -> Global Secure Access (preview) -> Connect -> Client download -> Download client or visit https://aka.ms/GSAClientDownload.
12: Create a new Intune win package:
13: Add the intunewin file as Win32 application to Intune. Pick the output GlobalSecureAccessClient.intunewin file and upload in to Intune by adding a new Windows app (Win 32).
Select the recently created intunewin file from step 12.
Modify the name and description (optional). Fill in the Publisher name. This is a required field.
Configure the install and uninstall commands.
- Install command: GlobalSecureAccessClient.exe /install /quiet /norestart
- Uninstall command: MsiExec.exe /X{4DB0A026-1C26-4A8C-8378-DCB94900B604} /quiet
Configure the requirements. These can be different for everyone. Normally the Operating System Architecture and Minimum operating system are fine. An older operating system would be fine as the client is supported on multiple OS’es.
Configure the following settings:
- Rule type: Path
- Path: C:\Program Files\Global Secure Access Client\
- File or folder: GlobalSecureAccessManagementService.exe
- Detection method: File or folder exists
- Associated with a 32-bit app on 64-bit clients: No
Deploy the application to your endpoints. After installation the device (might) need a reboot. When starting the Global Secure Access Client it can ask you once to authenticate to the service. This might depend on your conditional access configuration.
Make sure the Global Secure Access Client is installed
Source: The Global Secure Access client for Windows (preview) – Global Secure Access | Microsoft Learn
Verify the Global Secure Access Client
On your endpoint you might see this popup. Verify that it shows connected for at least the Private profile. The other once are nice to have but are out of scope for this blog.
You might want to open the Global Secure Access Client and scroll through the Health check screen. Verify that the Tunneling succeeded Private Access is showing Yes.
On the Forwarding profile page, make sure that the IP’s and Ports configured in step 9 are shown here. If all these things are all right we should be able to connect to our AVD infrastructure. Let’s try out!
Connect to the AVD environment via RDP
Open a Remote Desktop Connection to your internal IP. This is the same IP as configured in step 9 (in my blog example). Fill in the required credentials and there you go! We’re now connect to our Azure Virtual Desktop from a remote device, without using any VPN!
Note: I have a limited test environment right now. We’re just connecting to a single server over RDP. As soon as my subscription and tenant allow it I’ll try to update the blog. I will then try to connect over the gateway/AVD services.
This was a very well laid out document. Thank you for the effort. This solves an immediate problem for us – you made a difference in someone’s day.