Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Entra Private Access lets you extend the security features of Azure Private Link to remote and on-premises users. Extending the security features brings modern authentication features, such as Conditional Access, to the front of Azure Platform as a Service (PaaS) resources.
Azure Private Link lets you access Azure PaaS Services such as Azure Storage and Azure SQL Database. Azure Private Link also lets you access your Azure hosted services and partner services over a private endpoint in your virtual network. The result is that resources like virtual machines (VMs) can privately and securely communicate with Private Link resources.
To learn more about Azure Private Link, see What is Azure Private Link?.
This article shows you how to use Microsoft Entra Private Access to access an Azure Storage account behind Azure Private Link.
Prerequisites
- Administrators who interact with Global Secure Access features must have one or more of the following role assignments depending on the tasks they're performing.
- The Global Secure Access Administrator role role to manage the Global Secure Access features.
- The Conditional Access Administrator to create and interact with Conditional Access policies.
- Set up a storage account behind Azure Private Link. To learn how to set up a storage account in Azure Private Link, see Tutorial: Connect to a storage account using an Azure Private Endpoint. To learn more about private endpoints in Azure Private Link, see What is a private endpoint?.
- Deploy a Microsoft Entra private network connector in a private virtual network. To learn how to deploy a connector, see How to configure private network connectors for Microsoft Entra Private Access and Microsoft Entra application proxy. To learn more about connectors, see Understand the Microsoft Entra private network connector. To learn more about connector groups, see Understand Microsoft Entra private network connector groups. To learn more about Azure Virtual Network, see What is Azure Virtual Network?.
Create a Global Secure Access application for the Azure storage account
- Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
- Browse to Global Secure Access > Applications > Enterprise applications.
- Select New application.
- Choose the right connector group with the connector deployed in the private virtual network.
- Select Add application segment:
- Destination type:
FQDN - Fully Qualified Domain Name (FQDN):
<fqdn of the storage account>. For example,storage1.blob.core.windows.net. - Ports:
443 - Protocol:
TCP
- Destination type:
- Select Apply to add the application segment.
- Select Save to save the application.
- Assign users to the application.
Validate the configuration
Ensure connectivity to the storage account works from the connector machine. The connector is deployed on the same private virtual network.
Check connections to the storage account from outside the private virtual network. Computers that don't have the Global Secure Access client installed should fail. Computers that have the Global Secure Access client installed should succeed.