Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Organizations with Software-as-a-Service (SaaS) or Line-of-Business (LOB) applications might enforce specific network locations before allowing access. One approach is to use Microsoft Entra Private Access to route specific web application traffic with a privately controlled network. This approach allows you to enforce specific egress IPs that only your organization uses. This article describes how to configure Microsoft Entra Private Access to tunnel specific application traffic through a private network to satisfy an application's network-based access control policy.
Configure source IP anchoring to route traffic from a dedicated IP address
To enable application enforcement of a dedicated network, configure an enterprise application with Microsoft Entra Private Access. An example where this configuration might be necessary is when the application allows access with local credentials which are not tied to your identity provider.
This solution acquires application traffic and routes it from the client device. It routes through Microsoft's Secure Service Edge then to a private network with a private network connector. From the private network, the traffic can access the application with internet or any other available private connection. The application sees the traffic as originating from the allowed egress IP address indicating that access is coming from the dedicated network that satisfies its own network access controls.
The following architectural diagram illustrates an example configuration.
In the example configuration, the application only allows connections that originate from 15.4.23.54, which is the egress IP address of customer's on-premises network. When a user attempts to access the application, the Global Secure Access client acquires and tunnels the traffic through Microsoft's Secure Service Edge where authorization control enforcement (such as Conditional Access) can occur. The traffic tunnels to the on-premises network using the Private Network Connector. Finally, the traffic uses the internet to connect to the web application. The application sees the connection originating from 15.4.23.54 and allows access.
Note
Configuring source IP anchoring is necessary when a SaaS app enforces its own network-based controls. If your requirement is limited to location enforcement from the identity provider, compliant network check is sufficient. Compliant network check enforces network-based access controls at the authentication layer and avoids the need to hairpin traffic through your private network. Global Secure Access binds traffic to your tenant ID to ensure that other organizations using Global Secure Access can't satisfy your Conditional Access policies.
Prerequisites
Before you get started with configuring source IP anchoring, make sure your environment is ready and compliant.
- You have a SaaS application that enforces its own network-based access control policy.
- Your license includes Microsoft Entra Suite or Microsoft Entra Private Access.
- You enabled the Microsoft Entra Private Access forwarding profile.
- You have the latest version of the Global Secure Access client.
Deploy private network connectors
When you meet the prerequisites, perform the following steps to deploy private network connectors:
- Install a private network connector in a private network that has outbound connectivity to the destination web application. A good option is to host the connector in an Azure Virtual Network where you control the outbound egress IP. We recommend that you install two or more connectors for resiliency and high availability.
- Provide the public IP address of the connectors to the SaaS app so that your users can connect to the app.
Configure source IP anchoring
After you install and configure the private network connectors, perform the following steps to create an enterprise application:
Navigate to
entra.microsoft.com.Select Global Secure Access > Applications > Enterprise applications.
Select New application.
Enter a name for the application.
Select the Connector Group that acquires and routes the traffic.
Select Add application segment.
Complete the following fields:
Destination type -- Select Fully qualified domain name.
Fully qualified domain name -- Enter the fully qualified domain name of the web application.
Ports -- If the application uses HTTP, enter 80. If the application uses HTTPS, enter 443. You might also enter both ports.
Protocol -- Select TCP.
Select Apply.
Select Save.
Navigate back to Enterprise applications. Select the application that you created.
Select Users and groups.
Select Add user/group.
Select Users and groups > None Selected.
Search for and select the users and groups that you want to assign to this application. Select Select.
Select Assign.
Validate the configuration
After you configure an enterprise application for the web application, perform the following steps to validate that it's working properly.
In the Windows Global Secure Access client, open Advanced Diagnostics.
Select Forwarding profile.
Expand Private access rules. Validate that the web application's fully qualified domain name (FQDN) is in the list.
Select Traffic.
Select Start collecting.
In a browser, navigate to the web application.
Return to Advanced Diagnostics.
Select Stop collecting.
Validate these settings:
The web application appears under Destination FQDN.
The Channel field is Private Access.
The Action field is Tunnel.
Check the application's logs (not in Microsoft Entra ID). Validate that the application sees the sign-in from an IP address that matches an egress IP of your private network.
Troubleshooting
Ensure that you disabled QUIC, IPv6, and encrypted DNS. You can find details in our troubleshooting guide for the Global Secure Access client.
Next steps
- The Global Secure Access dashboard provides you with visualizations of the network traffic acquired by the Microsoft Entra Private and Microsoft Entra Internet Access services.