Active Directory Access with Microsoft Entra Private Access

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everyone in this video I want to talk about using Microsoft entra private access which I've done a deep dive video on already but how could I use it specifically to access active directory domain Services trusting resources for example an SMB file share but it could be anything because if I think about today great we have our ENT tenant and as we move to those more modern scenarios my device that I'm leveraging is joined to entra so we have an entra joined device which means I get this fantastic experience for all of the wonderful things that trust my entra tenant all those SAS Solutions I can use entra internet at access private connectivity Solutions we've talked about completely seamless so I get all the power of Entry conditional access everything else fantastic but I still probably have some on premises resources that trust active directory domain services so now I think about well okay I've still got this idea of my regular active directory domain services and there's some resource that is a member of this domain so I want to be able to talk to this as well now there's some great things that happen even for an enter joined machine if I have a line of sight to these resources now as we know what's happening behind the scenes what we have configured is we use that entc connect entrac connect Cloud sync to perform this synchronization so we have that synchronization going on and what that synchronization Alo also does is in addition to sending the objects it gives information about well hey here are the domain controllers here are their IP addresses and then when I actually go and authenticate to entra from my machine it actually sends a bit of additional detail so as part of this authentication yes it sends me for example my primary refresh token but it also gives me information about my active directory domain services and then what that enables me to do is a few different things it also tells the LSA that local security Authority so on this machine hey go and turn on curo and go and turn on ntlm now again this machine is only entra join it is not hybrid but because of the synchronization and because it's sending it some information it's giving it info about the on crem Services as well and what this enables me to do is if I have line of sight to the domain controller and the resource well because now I know about the domain controllers I will absolutely and talk to this Say Hey I want to authenticate and as part of that it will give me a ticket granting ticket and then a session ticket for the resource I want so I could then go and talk to it and this is fully outlined so if we look at the documentation it goes through in detail about what is required hey yes you need the connect sync and it talks about how it's actually working behind the scenes so the upshot is is even though I'm entra joined I can still use my resources but I keep saying this word line of sight what I require is well I have to be able to have an IP path to these things so I have to this go try dra an I how do I get that how do I from my ENT Joy machine that could be anywhere be able to have an IP communication to my domain controller and then to the resource I want to leverage historically this would be a VPN but we can now use the Microsoft entra private access instead and again I did a whole video on that I'm not going to go over the basics of private access but instead I want to talk about well what would this actually look like so if I think about private access and its core components if I look here for a second obviously I have my my on premises Network or wherever this is well I need connectors so I'm going to have my Microsoft entry connectors that sit on this network so I have n number of connectors now remember the whole point of the connectors is they establish this outbound connection to the entra secure service Edge so I don't have to have any any inbound ports but once it establishes that well now the entra edge can go and talk to these connectors and of course the connectors well they have IP paths because they're on this network to our domain controllers they have an IP path to the resources and additionally because these connectors sit on this network for DNS well they're going to use whatever DNS service is configured so in this case the DNS is part of our active directory domain services so if this gets sent a DNS query it can go and resolve it against our active directory so that's a huge part of this if we quickly go and look let's jump over and look at my environment if I look at connect my connectors I have two connectors running in my environment that now can talk to my domain controllers they can go and talk to the resources I have on my network and I can obviously have multiple different ones of this now the next portion I require remember is the global secure access client on my machine so on my machine over here I have the GSA wrong color don't to do that I have my GSA and I've already got that deployed on my machine and again I talked about that it's the same client we use for private access it's the same client we use for internet access I can roll it out in all of the standard ways in tune MDM Solutions if it was on Prem I could use Group Policy it's just a package I want to get deployed out but then once I have this let's quickly go and look at our environment we see down this little bottom corner I have my icon and what I'm going to do just for this demonstration if we right click we can do Advanced Diagnostics and I'm going to have this kind of up and running at the top just so we can see some stuff later on we'll monitor our traffic I'm going to add a filter and all I want to be able to see is private Access Communications because again it is the same GSA client for private access the Microsoft M365 all of that exact same traffic so now I'm collecting the traffic so we can come and look at that later on so I have those components okay so what do I now have to do if I think about talking and using active directory domain Services Step One is name resolution I have to be able to ask it Hey where's an ldap service um where's a domain controller and so for this machine whatever my domain would be so for example in my environment it's tech.net so I need it to know look if you try and do a DNS request against Sav tech.net this is actually being served by private access so step one will be with my private access configuration is for my private DNS I would add my active directory domain Services internal Zone name so in my case hey Sav tech.net it's literally adding one command in there so I'll go and look at my setup again actually before I show you that let me show you the config so if I go to my applications quick access and I got my private DNS you can see I'm enabling it and I've got Sav tech.net added all that is telling it is that it's now configured on my clients to say if you try and resolve something that's part of Sav tech.net send it over the private access configuration and the upshot of that would now be if I'm on my client if I try and do a resolve oh that's handy so if I try and resolve the L app service for Sav tech.net so I'm telling it it's a type service record it resolves so it gives me an answer of my particular domain controller that is hosting that service and now also if I try and resolve um DNS name for that domain controller it also resolves it to its records so at this point just through that one configuration I can get those answers and again I've still got kind of the tracking going on here we see some 53 stuff going on on the back end that powers that DNS lookup configuration so that's just happening behind the SC I don't have to do anything else there's no special rules I'm adding that's all I am required to do so at this Point great my client can find Services now I can just query DNS DNS is the service locator for active directory domain services and I can find stuff that was super easy to do okay we've done that part but now I want to actually be able to interact with various active directory domain services so now what I have to do is set up an application so now for me I'm going to set up domain Communications for each domain controller I'm going to create an application segment remember if I have five domain controllers when I query DNS it would return all five of them so I have to make sure all five of them are going to be redirected through this configuration so for example for my first for my domain controller number number one I would create it based on its IP address and then what are the ports now this is where it gets interesting if we look at the documentation it tells us what I need to talk to active directory now I don't have to worry about DNS because I'm doing that through the private access but I certainly want to worry about Cur Ross so that's 88 TCP and UDP and I probably want to worry about ldap so that is 389 TCP and UDP now depending on what else I want to talk to I may want 135 TCP for the rpcm point mapper and for what I'm going to do I want 445 TCP for SMB But realize depending on what services you use you may need some of these other ports added as well all I want to do is show you an SMB file show running on the domain controller I'm going to add the rpcm point as well just for fun but you wouldn't even particularly require that but you need to go through and work out what are the parts that I want to enable for my specific environment so if I think about for me then well what I need is TCP and UDP for 88 Cur Ross and 389 ldap and then optionally only because I want to use it on the domain controllers I'm going to add TCP U 135 rpcm point mapper and 445 and then I would repeat this for my second domain controller and my third etc etc so I'm going to add all these app segments to this and that will now have the net result of hey for this communication it will now enable me to talk to this on P 88 and 389 remember that's giving me ker rth authentication and ldap and then well I could talk SMB which is just 445 TCP and maybe I want 135 whatever those combinations are often the file shares will be on different servers it would be a different application adding to the private access but I'm just making it kind of simple for my environment but if we quickly go and look then what is that look like so if I now go look at my Enterprise apps I have already added one for my domain Communications for my network access properties I only have one DC in this environment so I added my app segment and now I only needed 88 and 389 for TCP and UDP I could have added separately 135 and 445 to just be TCP but the goey was giving me some um upsets so I just enabled all four of them for TCP and UDP but technically speaking wouldn't have needed that and once again if I had a second domain controller I would do another app segment and I would go through here I would put in the IP address of the second domain controller 1010 0.111 I would add in the ports it actually required so maybe that is the 88 and the 389 I could say hey I want TCP and UDP and I would click apply so I can very easily just go through and add the exact values I want to publish and I have done that in my environment so the upshot is those are now running to go through private access so maybe let's see it and remember the one other thing you must make sure you do before I go on make sure you add the user as a member of the app otherwise it won't get published to them they won't use that communication so if I go and look at my application again this is my VM so it's clears the screen if I do klist I don't have any tickets right now at all zil if I now try and oh there we go go to my domain controller so all I'm doing is I'm putting the UNCC path of my domain controller nothing else and not typing any credential anything and go it's thinking about it and now I'm looking at the file share it just worked and if I actually try and go to something let's go to the tools folder hey I I'm viewing it like I can just see that folder if I look at my tickets wow we can see I got my Cerros ticket granting ticket and I got it from my domain controller and because I then wanted to access a file share on that I got a session to get for K's SMB from that same domain controller so I actually went and got my tickets and if I now poke around the tracing we had running I should see an 88 I should see that Cur Ross right so we see a whole bunch of stuff going on here right so I can see there was my Cur Ross goodness going right here I can see see I've got the 389 going on all of them to that IP address so that's me using those actual connections that's me doing for example the Cur Ross that's me doing some ldap Lookout I can see also the TCP 445 so I can see me doing the SMB it's doing all of that via the private access so it just works so for the user it was a completely seamless access and I think that's one of the really powerful things about this now remember what is happening here then so what is I'm drawing these arrows remember that that isn't the flow the whole point in this flow of what's actually happening the flow is my machine is talking to the entra edge I'm not having some wide open VPN that could do what anything else I'm talking to the entry Edge which means regular conditional access is applying here I could absolutely go we jump over so I added domain Communications if I wanted to under protection conditional access I could create a new policy and for my target resource it could be a Cloud app and I could select domain Communications so anything I could do with my regular conditional access I could do exactly here so maybe I want MFA maybe I want stronger authentication I'll create a custom authentication strength and I'll put requirements around that whatever I can think of I could apply risk detections as part of this as well so I'm getting all of the goodness of entra and then remember so the flow is I'm talking to the edge and then the edge is talking to the connector and then the connector is talking to the resources so this is the flow I'm not just opening some big tunnel I have all of those various protections and everything I would normally do here um that's it I just wanted CU it has come up when I talked about private access there were questions about it it's like well could I use this instead of a VPN so I could talk to on premises active directory domain trusting resources and the answer is 100% yes and because they already had that functionality for if I have an entra joined device it gets sent information about the active directory domain services so as long as I have a line of sight I can go and get those ticket granting tickets the session tickets completely seamlessly well that line of sight can be facilitated by the Microsoft entra private access so no matter where they are hey I can resolve my DNS names and then I can get the communications through there but all of the time it's going via the entra secure service edge so those checks the conditional access they're still applying to keep my users and my organization safe um so that was it hope that answered the question 100% yes I can uh until next video take care

Info

Channel: John Savill's Technical Training

Views: 18,620

Rating: undefined out of 5

Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, azure ad, entra, conditional access, private access, active directory domain services, VPN

Id: qdNzvy5U3Sw

Channel Id: undefined

Length: 21min 52sec (1312 seconds)

Published: Wed Mar 20 2024