Entra Private Access and VPN Migration Strategies on Entra.News

I recently had the opportunity to connect with Merill Fernando from Microsoft as a guest on his popular Entra.News podcast to discuss Microsoft Entra Private Access, which is part of the Entra Global Secure Access Security Service Edge (SSE) service. We spent the hour talking about the similarities and differences between classic VPN technologies and zero-trust network access (ZTNA). In addition, we discussed some technical aspects of Entra Private Access, and I shared migration and coexistence strategies to help ease the transition to zero trust. Also, we discussed the importance of integrating Entra Conditional Access and the shift from network to application access. You’ll find the interview at Entra.News and also on YouTube. Enjoy!

Additional Information

How to Migrate from Legacy VPN to Entra Private Access – Entra.News

Microsoft Entra Private Access

Always On VPN vs. Entra Private Access

Microsoft Entra Private Access Network Connector Overview and Deployment Strategies

Microsoft Entra Private Access Intelligent Local Access

Leave a comment
by Richard M. Hicks on March 17, 2026  •  Permalink
Posted in Always On VPN, AOVPN, Entra, Entra Conditional Access, Entra Global Secure Access, Entra ID, Entra Private Access, Entra Private Network Connector, Global Secure Access, GSA, Microsoft, Microsoft Entra, Microsoft Entra Global Secure Access, Microsoft Entra Private Access, migration, Private Network Connector, SASE, Secure Service Edge, Security, Security Service Edge, SSE, video, VPN, Windows 10, Windows 11, Zero Trust, Zero Trust Network Access, ZTNA
Tagged , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 17, 2026

https://directaccess.richardhicks.com/2026/03/17/entra-private-access-and-vpn-migration-strategies-on-entra-news/

DirectAccess IPHTTPS and Let’s Encrypt 6-Day Certificates

I’ve written extensively about how public TLS certificate lifetimes will drop to just 47 days by March 2029. Before then, we’ll see certificate lifetimes gradually drop from the current 398 days to 200 days on March 15, 2026, and then to 100 days on March 15, 2027. In preparation for this, I’ve been working with many customers to deploy automated certificate enrollment and renewal solutions to eliminate the need for manual intervention. Interestingly, Let’s Encrypt now offers extremely short-lived certificates that are good for just 6 days! While they work just fine for Always On VPN, I discovered they will not work for DirectAccess.

6-Day Certificate

After successfully enrolling for a 6-day TLS certificate from Let’s Encrypt (I used CertKit, BTW!), I encountered an error when trying to assign the short-lived certificate to the IP-HTTPS listener in the DirectAccess configuration. Specifically, when running the Set-RemoteAccess PowerShell command, I received the following error.

Set-RemoteAccess: The parameter is incorrect.

Further investigation showed that I could install other public TLS certificates just fine. For some reason, though, DirectAccess did not like this new 6-day certificate.

Missing Subject Name

After digging a bit deeper, I realized the Subject field of the new 6-day Let’s Encrypt certificate was empty.

Subject vs. SAN in Modern TLS

Modern TLS clients rely entirely on the Subject Alternative Name (SAN) field for identity validation, and the older practice of matching against the certificate’s Subject field has been phased out for many years. Many certificate authorities, including Let’s Encrypt, now leave the Subject field empty because it no longer serves a functional purpose in current TLS implementations. DirectAccess still expects this field to contain data and does not properly fall back to SAN‑only validation. As a result, any certificate with an empty Subject field, such as the new 6‑day certificates from Let’s Encrypt, will fail when applied to the DirectAccess IP‑HTTPS listener.

Workaround

Admittedly, using 6-Day public TLS certificates for DirectAccess is extreme and likely overkill for this workload. The good news is that DirectAccess still works perfectly with 90-day Let’s Encrypt certificates, so the lack of 6-day certificate support should not be impactful.

CertKit

Have you heard about CertKit? CertKit, an online service for automating Let’s Encrypt certificate enrollment and renewal, has added support for Always On VPN and DirectAccess. Find details on leveraging it for public TLS certificates for these solutions here.

Additional Information

Always On VPN SSTP with Let’s Encrypt Certificates

Always On VPN and 47-Day Public TLS Certificates

The Case for Short-Lived Certificates in Enterprise Environments

CertKit Agent Support for Always On VPN SSTP and DirectAccess IP-HTTPS TLS Certificates

Leave a comment
by Richard M. Hicks on March 16, 2026  •  Permalink
Posted in administration, Always On VPN, AOVPN, Automation, certificates, CertKit, cloud, Cloud Service, Cryptography, Deployment, Encryption, Enterprise, enterprise mobility, Infrastructure, IP-HTTPS, IPv6 Transition, Microsoft, Mobility, Operational Support, PKI, public cloud, Remote Access, routing and remote access service, RRAS, Security, SSL and TLS, TLS, Transport Layer Security, troubleshooting, VPN, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , ,

Posted by Richard M. Hicks on March 16, 2026

https://directaccess.richardhicks.com/2026/03/16/directaccess-iphttps-and-lets-encrypt-6-day-certificates/

Midwest Management Summit (MMSMOA) 2026

I’m excited to be presenting two sessions at the upcoming Midwest Management Summit at Mall of America (MMSMOA), taking place May 3-7, 2026, at the Radisson Blu in Bloomington, MN. This is the premier systems management event in the U.S., offering unrivaled access to Microsoft and industry professionals from around the world.

Cloud PKI for Intune

My first session, Zero to Certificates in 5 Minutes with Cloud PKI for Microsoft Intune, covers how to quickly configure and deploy certificates using Cloud PKI for Microsoft Intune. This session is ideal for anyone looking to streamline certificate management without the traditional heavy infrastructure burden.

Entra Private Access

My second session, Moving to Zero Trust: Entra Private Access for Always On VPN Administrators, explores the transition from traditional Always On VPN to Microsoft’s Entra Private Access, highlighting practical steps, architectural differences, and the benefits of maintaining secure access in a modern Zero Trust environment. I will also share important migration tips, tricks, and best practices.

Let’s Connect!

Looking forward to diving into these topics with everyone there. I hope to see some familiar faces and meet new ones, too! If you are attending the event, be sure to say hello!

Additional Information

Midwest Management Summit at Mall of America (MMSMOA)

Cloud PKI for Microsoft Intune on RunAs Radio

Microsoft Entra Private Access on RunAs Radio

Leave a comment
by Richard M. Hicks on March 13, 2026  •  Permalink
Posted in Active Directory Certificate Services, Certificate Authentication, Certificate Services, Certificate-Based Authentication, certificates, Cloud PKI, Conference, education, Entra, Entra Private Access, Entra Private Network Connector, learning, Microsoft, Microsoft Entra, Microsoft Entra Global Secure Access, Microsoft Entra ID, Microsoft Entra Private Access, PKI, Training, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 13, 2026

https://directaccess.richardhicks.com/2026/03/13/midwest-management-summit-mmsmoa-2026/

« Older Posts