Apply Conditional Access policies to Private Access apps
Applying Conditional Access policies to your Microsoft Entra Private Access apps is a powerful way to enforce security policies for your internal, private resources. You can apply Conditional Access policies to your Quick Access and Private Access apps from Global Secure Access (preview).
This article describes how to apply Conditional Access policies to your Quick Access and Private Access apps.
- Administrators who interact with Global Secure Access preview features must have one or more of the following role assignments depending on the tasks they're performing.
- You need to have configured Quick Access or Private Access.
- The preview requires a Microsoft Entra ID P1 license. If needed, you can purchase licenses or get trial licenses.
- At this time, connecting through the Global Secure Access Client is required to acquire Private Access traffic.
Conditional Access and Global Secure Access
You can create a Conditional Access policy for your Quick Access or Private Access apps from Global Secure Access. Starting the process from Global Secure Access automatically adds the selected app as the Target resource for the policy. All you need to do is configure the policy settings.
Browse to Global Secure Access (preview) > Applications > Enterprise applications.
Select an application from the list.
Select Conditional Access from the side menu. Any existing Conditional Access policies appear in a list.
Select Create new policy. The selected app appears in the Target resources details.
Configure the conditions, access controls, and assign users and groups as needed.
You can also apply Conditional Access policies to a group of applications based on custom attributes. To learn more, go to Filter for applications in Conditional Access policy (Preview).
Assignments and Access controls example
Adjust the following policy details to create a Conditional Access policy requiring multifactor authentication, device compliance, or a Microsoft Entra hybrid joined device for your Quick Access application. The user assignments ensure that your organization's emergency access or break-glass accounts are excluded from the policy.
- Under Assignments, select Users:
- Under Include, select All users.
- Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
- Under Access controls > Grant:
- Select Require multifactor authentication, Require device to be marked as compliant, and Require Microsoft Entra hybrid joined device
- Confirm your settings and set Enable policy to Report-only.
After administrators confirm the policy settings using report-only mode, an administrator can move the Enable policy toggle from Report-only to On.
Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policies:
- Emergency access or break-glass accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant to take steps to recover access.
- More information can be found in the article, Manage emergency access accounts in Microsoft Entra ID.
- Service accounts and service principals, such as the Microsoft Entra Connect Sync Account. Service accounts are non-interactive accounts that aren't tied to any particular user. They're normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can't be completed programmatically. Calls made by service principals won't be blocked by Conditional Access policies scoped to users. Use Conditional Access for workload identities to define policies targeting service principals.
- If your organization has these accounts in use in scripts or code, consider replacing them with managed identities. As a temporary workaround, you can exclude these specific accounts from the baseline policy.