Automating Web Application Creation in Global Secure Access Using PowerShell
When working with Microsoft Global Secure Access (GSA), you will find yourself in the beginning creating Enterprise Applications manually for apps that will use Private access. That could be for RDP access or application access to an on-premise system. I was recently tasked with adding a lot of websites that needed to be processed through the Private access connector (about 25). That sort of task is something that needs to be done, but can be very error-prone if you create them one by one manually. In my case, I also needed to create a security group for each web application that would be used to provide access to each app in order to segment the access.
I decided to create a PowerShell script that would automatically create all the web apps in the Microsoft Entra portal. In this blog post, I will go over how the script is used and what it actually does.
Prerequisites:
- Entra PowerShell module (and Beta) – Install Microsoft Entra PowerShell – Microsoft Entra PowerShell
- Application Administrator (Entra role)
The script
The PowerShell script uses a .csv file that needs to contain the name of the Enterprise application you want created, and the URL for the web application. The script will add that URL with both port 80 (HTTP) and 443 (HTTPS).
There is also the ApplicationPrefix variable. This will create the Enterprise Application with a prefix + application name so you don’t get them “mixed” with your other Enterprise Applications and can easily identify them. I’m using “GSA – Web – “. This makes it easier for me to identify that the Enterprise application is used in GSA and is a web application (or public website that provides access based on the user’s public IP).
Lastly, you will need to add the ID of your Connector Group in Entra GSA. You can find that by navigating here: Connectors and sensors – Microsoft Entra admin center
Or you can use PowerShell:
The CSV file looks like this (see below). In this blog post, I’m going to be using my own IP checker tool – https://ipcheck.christianfrohn.dk, which is a simple Azure Static Web App with an Azure Function (Node.js).
When we run the script, we are going to focus on https://ipcheck.christianfrohn.dk. This is because we want to test that we are accessing that site via the Private Connector. If everything goes well, we can expect to see this IP: 135.116.208.88, which is the Private Connector’s public IP.
The script reads through the CSV file and for each web application, it creates the Enterprise Application in GSA, adds the URL with ports 80 and 443, creates a security group for access management, and assigns that group to the application.
Now we should see all three Enterprise applications created like so:
Now when we access https://ipcheck.christianfrohn.dk, we can see that the IP address is 135.116.208.88, and we can confirm that the creation worked and the traffic to that site goes through the Private Connector.
Final notes
In my testing, I had to try out different “IP tester” sites in order to see the “correct” public IP. Myip.com, for example, showed my “real” public IP and not my Private Connector’s public IP, so please have that in mind when you test. That is also why I decided to create my own Azure Static Web App to use for checking.
Remember that every app has been created with a corresponding Entra security group. You can then use Entra ID Governance to automatically assign access to the web applications using the groups (or directly to the applications if you wish).
I hope this script can help you save some time in creating Enterprise Applications for Global Secure Access.
