Microsoft Entra Private Access - Clarification

Question

Microsoft Entra Private Access - Clarification

karthik palani 661

Hi All,

I am trying to implement Microsoft Entra Private Access for the first time, i would like to understand the architecture and steps for integrating our core internal application with Entra private access with conditional access control.

To perform above is it mandatory i need to register internal application under Entra - Enterprise application. Once done should i need to update any meta data within Internal application to use entra private access.
How my internal application is aware of providing access via connector and authentication within Entra ID.
I want to force the user to access internal application only when they are connected via Global secure access externally and internally it should allow automatically. Normal browser should block it. Is it possible?
I have Team viewer apps in Entra - Enterprise application, my objective is to have MFA authentication before accessing Team viewer. So since it is already in Enterprise application - i can just add the users and apply conditional access policy or is there any steps i need to perform in Team viewer.

Please advice

Thanks,

JimmySalian-2011 44,721 Reputation points

2025-04-17T15:46:30.09+00:00

Hi Karthik,

Hope I can answer this as I am doing a POC with my test environment..

Yes you will need to register as an Enterprise App and after you create Enterprise application add the application segment that is used by the internal, private resource that you want to secure. Network requests sent from devices running the Global Secure Access client to the application segment you added to your Enterprise application will be acquired and routed to your internal application by the Global Secure Access cloud service without any ability to connect to other resources on your network. By configuring an Enterprise application, you create per-app access to your internal resources. Enterprise applications provide you a segmented, granular ability to manage how your resources are accessed on a per-app basis.

Question 3 is not clear what do you mean block it via browser? The Network segment is route internally requests to the Apps and manage the access.

No need to any additional steps for Team Viewer - Please follow the steps here - https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-configure-per-app-access

If you have any queries just message will be be able to assist.

Hope this helps.

JS

==

Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.
Gudivada Adi Navya Sri 21,070 Reputation points Moderator

2025-04-17T18:47:55.72+00:00

Hi @Karthik Palani

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
karthik palani 661 Reputation points

2025-04-20T05:12:28.9666667+00:00

Just to clarify "I want to force the user to access internal application only when they are connected via Global secure access externally and internally it should allow automatically. Normal browser should block it. Is it possible"

From Windows 10 machine, i have global secure access client. To access Internal application i need to connect first with Global secure access. Else it should not work directly.

1 answer

Your answer

JimmySalian-2011 44,721 Reputation points

2025-04-17T15:46:30.09+00:00

Hi Karthik,

Hope I can answer this as I am doing a POC with my test environment..

Yes you will need to register as an Enterprise App and after you create Enterprise application add the application segment that is used by the internal, private resource that you want to secure. Network requests sent from devices running the Global Secure Access client to the application segment you added to your Enterprise application will be acquired and routed to your internal application by the Global Secure Access cloud service without any ability to connect to other resources on your network. By configuring an Enterprise application, you create per-app access to your internal resources. Enterprise applications provide you a segmented, granular ability to manage how your resources are accessed on a per-app basis.

Question 3 is not clear what do you mean block it via browser? The Network segment is route internally requests to the Apps and manage the access.

No need to any additional steps for Team Viewer - Please follow the steps here - https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-configure-per-app-access

If you have any queries just message will be be able to assist.

Hope this helps.

JS

==

Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.
Gudivada Adi Navya Sri 21,070 Reputation points Moderator

2025-04-17T18:47:55.72+00:00

Hi @Karthik Palani

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
karthik palani 661 Reputation points

2025-04-20T05:12:28.9666667+00:00

Just to clarify "I want to force the user to access internal application only when they are connected via Global secure access externally and internally it should allow automatically. Normal browser should block it. Is it possible"

From Windows 10 machine, i have global secure access client. To access Internal application i need to connect first with Global secure access. Else it should not work directly.

Answer 1

Yes, registering your internal application as an Enterprise Application in Microsoft Entra is required to use Private Access. Once registered, you must:

Create an application segment that defines the internal resource (IP, FQDN, ports, protocols).
This segment is used by the Global Secure Access (GSA) client to route traffic securely to your internal app.
No metadata changes are needed within the internal app itself, but the app must be reachable via the connector and support authentication protocols like Kerberos or SAML. [Microsoft...rosoft Q&A]

This setup enables per-app access, allowing granular Conditional Access enforcement.

How does the internal application become aware of access via connector and Entra ID authentication?

Your internal application doesn’t need to be explicitly aware of the connector. Instead:

The Microsoft Entra Private Network Connector acts as a bridge between the cloud and your internal network.
The connector is installed on a Windows Server inside your network and handles outbound communication only—no inbound ports need to be opened.
The GSA client on the user’s device routes traffic to the connector, which then forwards it to the internal app.
Authentication is handled by Microsoft Entra ID, using Conditional Access policies and optionally MFA.

To enforce access only via GSA:

Configure Conditional Access policies that include Compliant Network checks and source IP validation.
Use Quick Access for broad network access or App Segments for per-app access. https://learn.microsoft.com/en-us/entra/architecture/gsa-poc-private-access
Block direct access via browser by ensuring the app is only reachable through the connector and GSA client.

This setup ensures:

External users must use GSA client and meet Conditional Access requirements.
Internal users can access automatically if within the corporate network.

Enforcing MFA for TeamViewer via Entra Enterprise Application

Since TeamViewer is already registered as an Enterprise Application, you can enforce MFA by:

Assigning users or groups to the TeamViewer app.
Applying a Conditional Access policy that requires MFA for access to TeamViewer.
No additional configuration is needed within TeamViewer itself unless it has its own MFA settings. However, ensure:
The app supports SAML or OAuth for integration.
- You test the policy using the Conditional Access What If API to avoid lockouts.

Share via

Microsoft Entra Private Access - Clarification

1 answer

Your answer