Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Secure Shell (SSH) is widely recognized across the IT industry as a critical service for system administrators. It provides a secure and encrypted method to access and manage remote systems over unsecured networks. IT administrators rely on SSH to perform essential tasks securely, including the configuration, deployment, and maintenance of servers and applications in an organization’s infrastructure.
In this guide and in this video, you learn how to configure and establish an SSH connection using Microsoft Entra Private Access to enhance security in your remote access workflows.
Establish SSH connections with Microsoft Entra Private Access
Microsoft Entra Private Access enhances the security and efficiency of SSH management traffic by providing a secure, identity-centric Zero Trust Network Access (ZTNA) solution by allowing IT administrators to establish SSH connections to remote servers securely.
Prerequisites
Ensure you meet the following prerequisites.
- Licensing - Learn about licensing for Microsoft Global Secure Access
- Learn more about Microsoft Entra plans and pricing
- See, Global Secure Access client for Windows
- A remote server with SSH enabled
- Microsoft Global Secure Access private network connector with network connectivity to the resource
- Learn how to configure connectors
- A device with the Global Secure Access client
- Private Access profile enabled
- Global Secure Access Administrator role for administrators
- Learn about built-in roles
Configure SSH traffic acquisition and secure with Conditional Access policies
To create the Enterprise Application:
- In Microsoft Entra admin center, browse to Global Secure Access.
- Select Applications, then select Enterprise application.
- Select New application.
- Type a name for the SSH enterprise application.
- The Create application segment panel appears.
- To application segments to acquire SSH traffic, select Destination type and add the IPs or subnets that provide a connection to your remote server.
- Configure Port to acquire traffic destined for port 22.
- For Protocol, select TCP.
- Select Save.
Assign users and groups to the application. Only users assigned to the enterprise application will have the ability to connect to it over the designated application segment(s).
- In the Microsoft Entra admin center, browse to Global Secure Access.
- Select Applications, then select Enterprise application.
- Select the SSE enterprise application you created and then select Users and groups.
- Add users and groups that require access.
- If desired, create Microsoft Entra Conditional Access policy to increase application security. For more information, see Apply Conditional Access policies to Private Access apps.
- Confirm you can access the SSH services from the client device.
Configuration checklist
Use the following checklist to help confirm configuration.
- Ensure the server is running and accessible by the SSH port.
- Confirm the correct host firewall configuration.
- Find guidance in OpenSSH Server configuration for Windows.
- Confirm the application segment has downloaded to the Global Secure Access client.
- Right-click the Global Secure Access client icon in the Windows taskbar.
- Select Advanced Diagnostics > Forwarding profile > Private Access.
- Verify the application appears in the access profile.
Connection failure
If the connection fails, use the following checklist.
- Verify the server IP address and port number.
- Confirm the SSH port is allowed from a Private Connector server.
- Isolate firewall rules that might block SSH traffic.
- Validate the Global Secure Access client captures traffic.
- Verify users are assigned to the application.