Friday 8 March 2024

First look at Microsoft Entra Private Access

Flexible work arrangements and accelerating digital transformation have changed the way we need to secure access. Organizations need an easier, more agile approach to protecting access to all applications and resources. Traditional network security approaches like VPNs don’t scale to these modern demands, they don’t give end users a good experience, and they grant excessive access to the entire corporate network. All it takes is one compromised user account, infected device, or open port for an attacker to access and laterally move anywhere inside your network. Neither identity nor network security controls alone can fully protect all access points. Even if you’ve adopted modern but disjointed access solutions you may leave security gaps that skilled adversaries can exploit. So, you still need to integrate them to address these challenges.

Microsoft's identity-centric Security Service Edge (SSE) solution helps organizations secure access to any app or resource, from anywhere. Conditional Access policies can be enforced that consider identity, device, application, and now network conditions with any application or website. 

The Microsoft SSE solution contains two products announced last year, Microsoft Entra Internet Access and Microsoft Entra Private Access.

This model is built on Zero Trust principles. It helps to verify each identity and uses risk-based context, giving users access only to applications, resources, and destinations they need to do their job. With Identity and Network Access solutions working together, organizations can bridge the gaps across multiple tools in one place and configure unified identity and network access controls with Conditional Access in Microsoft Entra.

Microsoft Entra Internet Access is an identity-centric Secure Web Gateway (SWG) for SaaS apps and internet traffic that extends Conditional Access policies to protect against malicious internet traffic, unsafe or non-compliant content, and other threats from the open internet. For example, you can block access to all external destinations for your high-risk users or non-compliant devices except limited URLs needed by the user to recover. 

I will concentrate on Microsoft Entra Private Access for this blog post. You are probably familiar with Application Proxy in Microsoft Entra, which thousands of organizations use to access private web apps today. Microsoft Entra Private Access is an even better solution and is currently in Preview. It is a complete, identity-centric Zero Trust Network Access (ZTNA) solution that shares the same application connectors but offers so much more, to help organizations simplify and secure access to any private resource, port, or protocol.

For the Entra Private Access blog post we'll concentrate on the following high level steps. Try it in your lab.

  • Prerequisites
  • Enable Global Secure Access
  • Enable Traffic Forwarding
  • Install the Connector
  • Create Connector group
  • Create and publish a private application
  • Assign user/group to private application
  • Install the Global Secure Access client 
  • Test and verify private access
  • Logs
  • Mobile devices

Prerequisites

Ok, as always there are some prerequisites to get this working.

  • Admin user with one of the following roles: Global Secure Access Administrator, Application Administrator, Security Administrator
  • Server to install connector (essentially the application proxy, you'll need local admin rights)
  • A server with RDP enabled plus a fileshare
  • Test user with Entra ID P1 license (M365 E3 does the trick 😀😀)
  • Test client:
    • Windows 10/11 64-bit
    • Entra ID or hybrid joined
    • Internet connection with no LAN or VPN connection to the private application
    • Ability to install the Global Secure Access agent (via Intune or local admin)

Enable Global Secure Access

The first step is enable Global Secure access for the tenant. 


Launch the Microsoft Entra Admin Center (https://entra.microsoft.com) and navigate to Global Secure Access (Preview) >  Get Started. Click Activate.

Global Secure Access is now enabled and you can click Get Started to review the documentation for the next steps.

Enable Traffic Forwarding

Traffic forwarding enables you to configure the type of network traffic to tunnel through the Microsoft Entra Private Access service. You set up profiles to manage how specific types of traffic are managed. Private access traffic can be forwarded to the service by connecting through the Global Secure Access desktop client.

Navigate to Global Secure Access (Preview) > Connect > Traffic Forwarding


Check the box for Private Access profile.

Install the Connector

Next we download and install the Connector to link Entra to the on-premises resources. This time we navigate to Global Secure Access (Preview) > Connect > Connectors


Click Download connector service > Accept terms & Download


We can see that the downloaded file is the installation for the application proxy connector.


Install the connector and sign in to Entra with your admin account when prompted.


The service is installed on the server.


You'll see the connector active in the Entra Admin Center.

Create Connector group

Connector groups are used to assign specific connectors to applications. They give you more control and let you optimize your deployments.


Click New Connector Group > enter a name and associate with the connector.

Create and publish a private application

Now for the services, I want to add a private application for RDP (3389) to a specific server (192.168.10.19). I'll also add access to a fileshare (445) on the same server. Remember we could only use application proxy for web apps before.

Navigate to Global Secure Access (Preview) > Applications > Enterprise Applications


Click New Application > Enter a name and select a Connector Group. Ensure that Enable access with Global Secure Access client is checked.


Click Add application segment to add the service details. In this case I've chosen RDP (3389) to the IP address 192.168.100.19. I could have also chosen a fully qualified domain name here. In fact you can do both.


The application is ready to be assigned.


You can also use port 445 to give private access to a fileshare.

Assign user/group to private application

Now we need to assign the enterprise application to a user or group. Navigate to Global Secure Access (Preview) > Applications > Enterprise Applications


Select the application and choose Assign users and groups

Click Add user/group and select who needs to access the application.

Install the Global Secure Access client

Navigate to Global Secure Access (Preview) > Connect > Client Download


The client is available for Windows, Android, iOS and macOS. In this case we want Windows. Download and install the client on the test device. You can automate the installation to managed devices using Intune.


Global Secure Access Client is installed. 


You'll see it connected in the system tray. Make sure you've signed in with a licensed user.

Have a look at the properties.

Test and verify private access

Now let's see if the solution works.


We can see that the test device is Entra joined.


We can also see that we're not on the same network as the private server and that it is not accessible.

However RDP is working, happy days.


I can also get to the fileshare over port 445.

Logs

Now let's look at the logs to prove it. Navigate to Global Secure Access (Preview) > Monitor > Traffic logs


We can filter by destination IP address and see that it is being accessed by my test user over the internet.

Clicking on one of the logs brings up the activity details. You can see source and destination IP addresses and destination port, verifying that the connection was made over the internet.

Let's try another test and turn off the proxy.

We can see that the connector is not available........

......and neither is RDP. That is expected behaviour.

Mobile devices

Can we use Entra Private Access on mobile devices?


Sure we can. The Global Secure Access client is built in to Microsoft Defender for iOS and Android so it's very straightforward.

I hope this blog post helps you. Until next time......



Tuesday 14 November 2023

macOS management with Intune - compliance

Back to main macOS page

Compliance policies in Intune define the rules and settings that users and devices must meet to be compliant. They include actions that apply to devices that are noncompliant. Compliance policies can be combined with Conditional Access, which can then block users and devices that don't meet the rules.


First I want to figure out what configurations I can make in my compliance policy. Using the Terminal app on my test macOS I executed csrutil status to see if System Integrity Protection was enabled. It is enabled so I can safely use that for compliance.


Navigate to Devices > macOS > Compliance policies. Click Create policy.


Click OK.


Enter a policy name and click Next. There are three sections that can be configured.


Device health - I know that system integrity protection is enabled on my test device.


Next we have Device Properties - I want to insist on a minimum operating system version.

System Security has four sub-sections
  • Password
  • Encryption
  • Device security
  • Gatekeeper

I need devices secured with a password.


I want the devices to be encrypted.


I haven't worked on the firewall yet so I'll not enable this yet.


Gatekeeper will follow in a later blog post.


I've just left the default noncompliance action (mark device noncompliant immediately).


Assign to a group containing macOS devices- and click Next.


Review the configuration and click Create.


The device shows being compliant in the Company Portal app.


In the Intune portal, drilling into the compliance policy we can see that the device is compliant.


We can also view the per-setting status of compliance items.

macOS management with Intune - PKG apps (Chrome)

Back to main macOS page

PKG files are compressed installer files that are used to install macOS applications. Intune can deploy these apps to managed macOS devices where the file is smaller than 2GB. The Microsoft Intune management agent for macOS is also required.

The PKG file for Google Chrome can be downloaded from here


Select Apps > macOS apps > Add. Under the Other app types, select macOS app (PKG)


Browse to the PKG file.


Click OK.


Edit app details as required and click Next.

You can add pre- and post-install scripts if required. Click Next.


Select a minimum operating system version. Click Next.


For the detection method, the app bundle ID and app version are configured automatically (unlike DMG files). Click Next.


Assign to a group containing macOS devices. Click Next.


Review your configuration and click Create.


Chrome very quickly appears on the macOS device.


The app reports as being installed in Intune.