Apply Conditional Access policies to Private Access apps

Applying Conditional Access policies to your Microsoft Entra Private Access apps is a powerful way to enforce security policies for your internal, private resources. You can apply Conditional Access policies to your Quick Access and Private Access apps from Global Secure Access.

This article describes how to apply Conditional Access policies to your Quick Access and Private Access apps.

Prerequisites

Known limitations

  • At this time, connecting through the Global Secure Access Client is required to acquire Private Access traffic.

Conditional Access and Global Secure Access

You can create a Conditional Access policy for your Quick Access or Private Access apps from Global Secure Access. Starting the process from Global Secure Access automatically adds the selected app as the Target resource for the policy. All you need to do is configure the policy settings.

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.

  2. Browse to Global Secure Access > Applications > Enterprise applications.

  3. Select an application from the list.

    Screenshot of the Enterprise applications details.

  4. Select Conditional Access from the side menu. Any existing Conditional Access policies appear in a list.

  5. Select New policy. The selected app appears in the Target resources details.

  6. Configure the conditions, access controls, and assign users and groups as needed.

You can also apply Conditional Access policies to a group of applications based on custom attributes. To learn more, go to Filter for applications in Conditional Access policy.

Assignments and Access controls example

Adjust the following policy details to create a Conditional Access policy requiring multifactor authentication, device compliance, or a Microsoft Entra hybrid joined device for your Quick Access application. The user assignments ensure that your organization's emergency access or break-glass accounts are excluded from the policy.

  1. Under Assignments, select Users:
    1. Under Include, select All users.
    2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
  2. Under Access controls > Grant:
    1. Select Require multifactor authentication, Require device to be marked as compliant, and Require Microsoft Entra hybrid joined device
  3. Confirm your settings and set Enable policy to Report-only.

After administrators confirm the policy settings using report-only mode, an administrator can move the Enable policy toggle from Report-only to On.

User exclusions

Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policies:

  • Emergency access or break-glass accounts to prevent lockout due to policy misconfiguration. In the unlikely scenario all administrators are locked out, your emergency-access administrative account can be used to log in and take steps to recover access.
  • Service accounts and Service principals, such as the Microsoft Entra Connect Sync Account. Service accounts are non-interactive accounts that aren't tied to any particular user. They're normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Calls made by service principals won't be blocked by Conditional Access policies scoped to users. Use Conditional Access for workload identities to define policies targeting service principals.
    • If your organization has these accounts in use in scripts or code, consider replacing them with managed identities.

Next steps