Azure Entra External Access: Revolutionising Secure Remote Access

Technical Overview

In today’s hybrid work environment, organisations face a critical challenge: enabling secure, seamless access to on-premises applications for remote users. Azure Entra External Access (formerly Azure AD App Proxy) is Microsoft’s answer to this challenge. It provides a lightweight, secure, and scalable solution for publishing on-premises applications to remote users without the need for a traditional VPN or complex network configurations.

Architecture

The architecture of Entra External Access is elegantly simple yet robust. At its core, it consists of two main components:

• Application Proxy Connector: A lightweight agent installed on an on-premises server. It acts as a bridge between the on-premises application and Azure Entra External Access, securely forwarding requests from users to the application.
• Azure Entra External Access Service: This cloud-based service handles authentication, authorisation, and secure routing of user requests to the on-premises application.

The connector establishes an outbound connection to Azure, eliminating the need to open inbound ports in the corporate firewall. This design significantly reduces the attack surface and simplifies deployment.

Scalability

Entra External Access is designed to scale effortlessly with your organisation’s needs. Whether you’re supporting a small team or a global workforce, the service can handle varying loads without requiring additional infrastructure investments. Multiple connectors can be deployed in a high-availability configuration to ensure uninterrupted access, even during maintenance or unexpected outages.

Data Processing

Data security is a cornerstone of Entra External Access. All traffic between the user and the on-premises application is encrypted using TLS. Additionally, the service integrates seamlessly with Azure Entra ID to enforce conditional access policies, multi-factor authentication (MFA), and identity protection measures. This ensures that only authorised users can access sensitive applications, and their access is continuously monitored and evaluated.

Integration Patterns

Entra External Access supports a wide range of integration patterns, making it suitable for diverse application scenarios:

• Web Applications: Publish internal web applications, such as SharePoint, intranet portals, or custom line-of-business apps, to remote users.
• Remote Desktop Services (RDS): Provide secure access to on-premises RDS environments without exposing them directly to the internet.
• API Gateways: Enable secure access to internal APIs for developers or external partners.

These integration patterns allow organisations to modernise their access strategies without re-architecting their existing applications.

Advanced Use Cases

Beyond basic application publishing, Entra External Access supports advanced use cases that cater to complex organisational needs:

• Zero Trust Implementation: Entra External Access aligns with Zero Trust principles by verifying every access request based on user identity, device compliance, and contextual signals.
• Hybrid Identity Scenarios: Integrate with on-premises Active Directory to provide a unified identity experience across cloud and on-premises environments.
• Partner and Vendor Access: Use Entra External Access in conjunction with Entra External ID to securely grant access to external users without compromising internal security.

Business Relevance

Why should organisations care about Entra External Access? The answer lies in its ability to address critical business challenges:

• Cost Efficiency: By eliminating the need for VPN infrastructure and reducing dependency on traditional network security models, organisations can achieve significant cost savings.
• Enhanced Security: With built-in support for conditional access, MFA, and continuous access evaluation, Entra External Access provides a robust security framework that mitigates the risk of unauthorised access.
• Improved User Experience: Remote users can access on-premises applications as easily as cloud-based ones, enhancing productivity and satisfaction.
• Agility and Flexibility: Organisations can quickly adapt to changing business needs, such as enabling remote work or supporting mergers and acquisitions, without overhauling their IT infrastructure.

Best Practices

To maximise the benefits of Entra External Access, organisations should follow these best practices:

• Deploy Multiple Connectors: For high availability and load balancing, deploy at least two connectors in different locations.
• Leverage Conditional Access: Define granular access policies based on user roles, device compliance, and location to minimise security risks.
• Monitor Usage: Use Azure Monitor and Log Analytics to track access patterns, identify anomalies, and optimise performance.
• Regularly Update Connectors: Ensure that the Application Proxy Connector is always up to date to benefit from the latest security and performance enhancements.
• Integrate with Identity Governance: Use Azure Identity Governance to manage access lifecycle and ensure compliance with organisational policies.

Relevant Industries

Entra External Access is a versatile solution that can benefit a wide range of industries:

• Healthcare: Enable secure access to electronic health records (EHR) and other critical applications for remote healthcare providers.
• Financial Services: Provide secure access to trading platforms, customer portals, and internal tools for remote employees and partners.
• Education: Facilitate remote access to learning management systems (LMS) and administrative tools for students and staff.
• Manufacturing: Allow remote monitoring and management of production systems and supply chain applications.
• Government: Ensure secure access to citizen services and internal applications for government employees and contractors.

Related Azure Services

• Entra ID
• Conditional Access
• Identity Governance
• Microsoft Defender for Cloud
• Log Analytics