In this blog post, I want to share with you how to bulk create Global Secure Access (GSA) Enterprise applications using PowerShell. The need for this arose when I was tasked with creating all the servers in Microsoft Global Secure Acces to be used to control RDP to servers. This was one of those repetitive tasks where the chance for error is high if done manually. I didn’t want to create all those servers one by one, so I thought about whether I could do this using PowerShell. This presented me with the opportunity to use the new Microsoft Entra PowerShell module for the first time in “live action,” and I liked it a lot. It’s simple, fast, and easy to understand. You can download it here: Install Microsoft Entra PowerShell – Microsoft Entra PowerShell
The way I decided to do this was to create an Enterprise application in GSA for each server, and then add the server’s IP address along with the server’s FQDN and port 3339 as well. I’m also adding two Entra Security groups to each Enterprise Application in GSA for each server to provide access to servers through GSA and to create a tiering model. The first group that will be added is called “GSA – RDP – ServerName” and will provide RDP access to that server, and that server alone. The other group is called “GSA – RDP – Tier 2.” This group is added to all servers classified as Tier 2 servers. This group is created for the purpose of adding all Tier 2 admins to that security group.
There will also be Tier 1 and Tier 0 groups added to Tier 1 and Tier 0 servers in GSA, respectively.
By doing it this way, we will accomplish tiering when it comes to line-of-sight RDP access for the admins, while still enabling consultants (internal guest users) to have access to one or two servers without providing line-of-sight to all servers through GSA.
Prerequisites
- PowerShell module: Entra PowerShell module (Beta)
- Permissions: ‘NetworkAccessPolicy.ReadWrite.All’, ‘Application.ReadWrite.All’, ‘NetworkAccess.ReadWrite.All’, ‘AppRoleAssignment.ReadWrite.All’, ‘Group.ReadWrite.All’, ‘Group.Create’
- Private Network connector: Setup and running
I’ll recommend you create a Quick Access for the IP ranges of servers like so:
(Please note this is just a sample)
- IP address range (CIDR): 192.168.1.1/24
- Ports: 1-52, 54-65535
- Protocols: TCP, UDP
Along with a private DNS suffix for your domain like so:
The PowerShell script
The PowerShell script needs a .csv file that contains the list of the servers along with the IP addresses of the servers, like so:
TIP: If you use VMware, you can use RVtools to export the list for you
The PowerShell script needs the following parameters:
- Private Connector group name
- Prefix for the Enterprise applications
- Prefix for the Entra Security groups per server
- Your domain name
- Name of the Tier ACL Security group
When the PowerShell script is finished, you should be able to see all your servers created in Enterprise Application in GSA.
Closing thoughts
Using PowerShell in this way is a great tool to avoid mistakes, considering the fact that you might have hundreds of servers that you need to create an Enterprise Application for In Global Secure Access. So in sharing this PowerShell script I hope I can save the next person some time 🙂