Category Archives: Entra ID

From Home to Zero Trust: A Hands-On Guide to Microsoft Entra Private Access

Entra ID, Global Secure Access, Network Security December 16, 2025 Leave a comment

In today’s hybrid work environment, secure access to internal resources without relying on traditional VPNs is a key requirement. Microsoft Entra Private Access, part of the Global Secure Access suite, enables Zero Trust-based connectivity to private applications hosted on-premises or in private networks.

In this demo, we’ll walk through setting up a home lab using an Azure tenant, installing the Entra connector, and configuring access to a Synology NAS as a private application—all from a personal laptop and home network.

Before starting, make sure you have:

  • Microsoft Entra ID tenant with Global Secure Access enabled.
  • Microsoft Entra Global Secure Access license (Private Access feature).
  • Windows 11 Pro device (required for advanced networking and policy support).
  • Device joined to Microsoft Entra ID (Azure AD joined or Hybrid joined).
  • Intune-managed device for policy enforcement and NRPT configuration.
  • Administrative access to your Azure tenant and local machine.
  • Microsoft Entra Connector installer downloaded from the Entra Admin Center.
  • Global Secure Access Client installer for Windows.
  • Internal resource (Synology NAS or similar) reachable on your home network.
  • Internal IP address of the resource (e.g., 10.0.x.x).
  • Optional DNS setup:
    • Private DNS zone or hosts file entry for FQDN (e.g., demo.synology.me).
  • Self-signed certificate (optional) for HTTPS access.
  • Internet connectivity for connector registration and client sign-in.

.

Step 1: Prepare Your Internal Resource

For this demo, we’ll use a Synology DiskStation as the internal resource.

  • Ensure your Synology NAS is powered on and accessible on your home network.
  • Note its IP address (e.g., 10.0.0.8) and the services you want to expose (e.g., DSM web UI on port 443).

In my case this is the Synology NAS and accessible from the test laptop where im demoing the Microsoft Entra Private Access

Step 2: Install Microsoft Entra Connector

  • Download the connector from the Microsoft Entra Admin Center.
  • Install it on a device that can reach your Synology NAS (can be your laptop or another machine).
  • During setup, register it with your Azure tenant.

Verify Installation:

  • In the Entra Admin Center, go to Global Secure Access → Connectors.
  • Confirm your connector shows as Active.
  • Check logs in Event Viewer → Applications and Services Logs → Microsoft → AADApplicationProxyConnector for status messages.

Step 3: Create an Application Segment for Synology

  • Navigate to Global Secure Access → Application Segments → Add Segment.
  • Configure:
    • Name: SynologyNAS
    • Destination type: IP address
    • Destination: your nas IP
    • Ports: 443
    • Protocol: TCP
  • Save and verify the status shows Success.

Step 4: Link the Segment to Private Access Profile

  • Go to Global Secure Access → Connect → Traffic forwarding → Private access profile.
  • Under Private access policies, click Edit.
  • Add your SynologyNAS segment to the profile.
  • Assign users or groups (e.g., your account) to the profile.

In my example I have  selected 2 private apps and hence you see the number as 2 and have assigned to all users

Step 5: Configure Private Networks (Optional but Recommended)

  • Navigate to Global Secure Access → Connect → Private Networks (Preview).
  • Click Add Private Network.
  • Enter:
    • Name: Synology
    • DNS servers: 127.0.0.1 (or your internal DNS server IP)
    • Fully qualified domain name: Your Synology FQDN resolvable
    • Resolved to IP address type: IP address
    • Resolved to IP address value: (Your Synology NAS IP)
  • Save the configuration.

Why?
This ensures that when you access Synology the GSA client routes traffic correctly through the Private Access tunnel.

Step 6: Install the Global Secure Access Client

  • Download and install the Microsoft Entra Global Secure Access client on your laptop.
  • Sign in with your Azure AD account.
  • Verify the client is active and connected.

Very Imp you must have all the channels green tick so your GSA client routes all the traffic to the Global Secure Access

Step 7: Test Access

  • From your laptop, try accessing the Synology DSM web UI using its hostname or IP .
  • Check Advanced Diagnostics → Traffic in the GSA client to confirm traffic is tunneled.
  • Apply Conditional Access policies if needed for security. (Did not get time to explore this one will do it in the next blog)

Step 7: Validate in Insights & Analytics

  • Go to Global Secure Access → Insights and Analytics
  • Confirm your Synology NAS appears under Private Applications.
  • Monitor usage trends and transactions for visibility.

After a successful setup the first thing you would notice is that the Total Private Applications count will be showing as 1

There is also further drill down where we could look at the usage pattern via Graph

So now we are successfully able to route the private traffic via Global Secure Access.

In this demo, we successfully showcased how Microsoft Entra Private Access can securely connect users to internal resources without traditional VPNs, leveraging Zero Trust principles. By setting up a home lab with an Azure tenant, installing the Entra connector, and configuring Application Segments, we exposed a Synology NAS as a private application and validated access through the Global Secure Access client.

This approach demonstrates how organizations can modernize remote access, reduce attack surfaces, and improve user experience without relying on legacy VPN solutions.

Sathish Veerapandian

Migrate from Entra Connect to Microsoft Cloud Sync for better resiliency – Part 1

Entra ID, Microsoft Cloud Sync March 15, 2024 Leave a comment

Microsoft Cloud Sync  is a new solution for achieving your hybrid identity synchronizing contacts, groups, and users with Microsoft Entra ID—is Microsoft Entra Cloud Sync.

Rather than using the Microsoft Entra Connect it makes use of the Microsoft Entra cloud provisioning agent. In this article series we will take a look at the steps to migrate from Entra ID connect to Microsoft cloud sync (After detailed analysis)

We will choose only a Pilot OU on this part to see if the synchronization is getting successful for these Pilot OU.

Below are the benefits of migrating to Cloud Sync:

  1. Config is easily managed from Azure AD portal
  2. Cloud Sync does not require SQL server licensing (Azure AD Connect requires a SQL Server database to store identity data)
  3. It’s a light weight agent no heavy dependencies of need to setup a local DB SQL backend
  4. Deployment complexity & maintenance is fair less

Moving on to resiliency:

  1. Multiple agents can be installed for parallel sync.
  2. Whereas Azure AD connect uses Active & Staging mode to achieve some resiliency.

Regarding performance :

  1. Its capable of performing Sequential Sync
  2. Supports Sync to a single tenant from a multi-forest disconnected AD environments

So the question comes here first like ok this seems to be nice but I already have my environment setup and running in Azure AD connect.

What is the steps to migrate to Microsoft Cloud Sync ?

Below are the steps to do that.

First things first (Lets be very honest here )

Not all environments are capable of moving to Cloud Sync .

So we need to first evaluate any environment before choosing this option.

How do I validate ?

You can use the Microsoft setup tool by navigating to the below url

https://setup.cloud.microsoft/entra/add-or-sync-users-to-microsoft-entra-id

Continue reading

Make use of the Azure Recovery Services Vault Backup to restore your Domain Controller

Active Directory, Azure, Backup, Entra ID, Recovery Services Vault February 27, 2024 Leave a comment

It’s been quite a while since I blogged, and since I started doing podcasts, this has been reduced a lot.This time I thought to blog something about the cool stuff in the Entra ID feature I explored in the demo and wanted to share about the same.

Today in this blog, let’s take a look at restoring a domain controller running on the Azure virtual machine from the Recovery Services vault.
Recovery Services Vault is a feature provided by Microsoft Entra that offers centralized management and protection of data, applications, and workloads.
One of the services offered by Recovery Services Vault is it’s backup.

We also talked about the site recovery in the previous video, and if you want to have more information on it, I highly recommend taking a look at it.
In the backup part, it allows us to securely backup and recovery our applications in the event of accidental deletion , data corruption, or site failures.

Continue reading

Microsoft Entra Global Secure Access Preview – Secure Access Service Edge (SASE)

Entra ID, Global Secure Access, Security February 2, 2024 Leave a comment

An identity-aware, cloud-based security infrastructure is becoming increasingly necessary for today’s workforce as more and more data and apps move to the cloud. Security Service Edge (SSE) is a new class of network security solutions that is a stand-alone subset of Secure Access Service Edge (SASE).

SASE architecture’s main goal is to provide a seamless and secure user experience while maintaining optimal connectivity.

Take a look at this video to learn more about it.

I hope you enjoyed this video!

Regards

Sathish Veerapandian

Deploy your Conditional Access Policies via Terraform

Entra ID, Terraform October 12, 2023 Leave a comment

With Terraform, you can define your Conditional Access policies and configurations as code. This means you describe the desired state of your Azure AD Conditional Access environment in Terraform configuration files, making it version-controlled, repeatable, and easily auditable.

Take a look at this video to see more about this information

Hope you enjoyed this video !

Sathish Veerapandian