{"id":14636,"date":"2025-08-19T07:06:23","date_gmt":"2025-08-19T07:06:23","guid":{"rendered":"https:\/\/newestek.com\/?p=14636"},"modified":"2025-08-19T07:06:23","modified_gmt":"2025-08-19T07:06:23","slug":"microsoft-entra-private-access-brings-conditional-access-to-on-prem-active-directory","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14636","title":{"rendered":"Microsoft Entra Private Access brings conditional access to on-prem Active Directory"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Attackers are increasingly targeting cloud resources, but that doesn\u2019t mean they no longer see our on-premises Active Directory installations as excellent targets for gaining access to our networks. Government entities, for example, often rely on lots of on-premises servers as well as traditional desktops that make for juicy targets.<\/p>\n

As a result, Microsoft last year began testing how to add Microsoft Entra\u2019s increased access control capabilities to on-premises systems as a means for enabling organizations to establish conditional access and multi-factor authentication (MFA) options for these resources. Initially the rollout included support for connecting to resources<\/a> such as Active Directory domain controllers using Entra\u2019s identity-centric Zero Trust Network Access (ZTNA) framework.<\/p>\n

In July the official Microsoft documentation<\/a> included details about configuring what the company calls \u201cEntra Private Access for Active Directory Domain Controllers,\u201d indicating that these features are in mainstream release and available for production use.<\/p>\n

There is one major hurdle to overcome before you can roll out this capability: You will need to ensure your network is NTLM free and only supports Kerberos authentication with your domain controllers. The goal for Entra Private Access is to take the place of legacy VPNs and internal Active Directory resources.<\/p>\n

Prepping your systems for Entra Private Access<\/h2>\n

While Entra Private Access has been generally available since November 2024, full Active Directory domain controller integration and documentation has only been available as of last month.<\/p>\n

To set up the service you must have the Global Secure Access Administrator role in Microsoft Entra ID. The product also requires licensing, but you can use trial licenses to test the deployment in a proof of concept.<\/p>\n

You must also ensure that client machines run Windows 10 or higher and that they are Microsoft Entra joined or hybrid joined devices. Client machines must also have line of sight to the private resources and domain controller. In other words, the user must be within the corporate network, accessing on-premises resources.<\/p>\n

For firewall rules, you must open inbound TCP port 1337 in the Windows Firewall on the domain controllers. You must also identify the Service Principal Names (SPNs) of the private apps you want to protect and add them to the Private Access Sensors policy installed on the domain controllers.<\/p>\n

Microsoft recommends testing this functionality with your private app first. You can enforce MFA to the domain controller by using the private app\u2019s SPN, but doing so at a later stage may help you avoid any admin lockout issues, Microsoft reports.<\/p>\n

As with many deployments, issues often start with troubleshooting the various parts needed for installation. I would recommend you review the resources at the Global Secure Access community resources hub<\/a> and set up a proof of concept.<\/p>\n

At this time, clients that can be protected include Windows 10 and 11 and Android. Windows on Arm, macOS, and iOS are in preview at this time.<\/p>\n

\n
<\/figure>\n

Susan Bradley \/ CSO<\/p>\n<\/div>\n

Putting Entra Private Access to work<\/h2>\n

Before you can roll out these additional security settings, you need to be well on your way toward removing NTLM from your network. First you\u2019ll need to audit your environment to identify where NTLM is being used.<\/p>\n

To do so, navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity Options.<\/p>\n

\n
<\/figure>\n

Susan Bradley \/ CSO<\/p>\n<\/div>\n

The deepest level of auditing, including workgroup and domain authentication attempts that use NTLM, can be achieved by setting:<\/p>\n