Part I of this two-part blog post series explains how to setup Multi-Factor-Authentication (MFA) for SAP GUI with Microsoft Entra ID (formerly known as Microsoft Azure Active Directory, AAD) and SAP Secure Login Service (SLS) for SAP GUI. In this scenario, SLS issues a short-lived X.509 client certificate after successful authentication of the user at the SAP Cloud Services Identity Authentication (IAS) tenant. The IAS tenant acts as a SAML 2.0 proxy and forwards the authentication request to the user's Microsoft Entra ID tenant where MFA is enforced using Microsoft Entra Conditional Access (CA). With the X.509 client certificate, SAP GUI establishes a Secure Network Communications (SNC) connection to the SAP Application Server (AS) ABAP to single sign-on (SSO) the user.

Elevate Security with Entra Private Access

This blog describes an alternative MFA-solution for SAP GUI based on the Kerberos protocol, and uses Microsoft Entra Private Access (PA) instead of SLS and IAS to integrate with Entra. Entra PA, and its accompanying service Entra Internet Access, are unified under Global Secure Access (GSA) in the Microsoft Entra admin center. Both enforce an identity-centric Zero Trust Network Access (ZTNA) strategy. With ZTNA, access is granted per user to specific services or applications, whereas traditional technologies for secure network access, such as Virtual Private Networks (VPNs), grant access to an entire network. VPNs operate at the OSI network layer with protocols like IPSec. Entra PA as an ZTNA solution runs on the application layer and requires a software application, the Microsoft Entra Global Secure Access (GSA) client, to be installed on the user's devices. The GSA client implements an NDIS 6.0 lightweight filter (LWF) network driver to route any traffic to internal and external applications based on centrally defined access rules at the company's Entra ID tenant level.

Integration with Entra CA and Entra CAE

GSA deeply integrates with Entra CA to secure the access with modern authentication methods to those apps, and can add further controls as needed, such as requiring MFA as implemented in this tutorial, allowing access only from a device that fulfills corporate compliance requirements, or detecting sign-in risks like access from atypical locations.

Entra Continuous Access Evaluation (CAE) is integral to a Zero Trust strategy as it ensures that access is continuously monitored and adjusted based on real-time conditions, thereby enhancing security and reducing the risk of unauthorized access. Instead of relying solely on the expiration of the user's OAuth 2.0 access token (between 60-90 minutes by default) before the access is reevaluated, CAE listens to critial events from Entra ID and Entra CA, such as password resets, user deletion, or changes in the user's network location, and revokes the user's session or reevaluated a CA policy in near real time.

To timely prevent unauthorized access when a user moves to a different location that is not allowed by the organisation's CA policy, CAE-aware applications have to tell the token issuer (Entra ID) about these changes. They also must reject a token for a given user even though it hasn't expired, but requires the user to re-authenticate because of an account compromise or other concerns. In this case, the application informs the CAE-aware client to request a new access token from Entra ID. The underlying communication protocol for CAE and the messages sent between the client, the application, and the token isser, are based on the Open ID Continuous Access Evaluation Profile (CAEP) industry standard, and requires the clients and applications to adopt special libraries to support this mechanism.

Universal CAE is a platform feature of GSA and extends the benefits of CAE to any application accessed with GSA, without requiring the client or application to be CAE aware. For events received from Entra ID such as a password reset or revocation of the login sessions for a user by the Entra administrator, the GSA client terminates the active user session and prompts for re-authentication. Only if successful, user's network connectivity to resources protected by GSA is restored. With this approach, Universal CAE can improve security for non-CAE-aware enterprise applications like SAP. This means that even if the SAP GUI client and the SAP application server do support CAE natively, the GSA Client can enforce CAE by routing the traffic through Entra Private Access.

Scenario walkthrough

Figure 1 shows the end-to-end authentication and data flow with Entra PA. For a live demo of the scenario, check out episode 219 of the SAP on Azure video podcast.

Although this blog post follows the same scenario as part I for a user accessing the on-premise SAP system with SAP GUI from a workstation connected to the same (corporate) network, this setup can also be applied to a remote access scenario where the workstation is only connected to the Internet and access to the internal SAP system must be secured.

Figure 1: SAP GUI MFA with Global Secure Access

 

1. The user Jane Smith logs on to her workstation with her local domain credentials. The workstation is joined to the local AD and to the Entra ID tenant (aka hybrid-joined). By logging in to the local domain, Jane's workstation obtains a Kerberos ticket-granting ticket (TGT) from the AD Domain Controller (DC). The TGT is a special type of Kerberos ticket that can only be used to obtain other tickets from the DC's Ticket Granting Service (TGS) for other kerberized resources and services such as the SAP system.
2. Jane launches the SAP Logon pad and double-clicks on the system entry for the SAP system with SID A4H. SNC is enabled for this system with a service principal registered in AD using the recommended User Principal Name (UPN) KerberosA4H and Service Principal Name (SPN) SAP/A4H which uniquely identifies the SAP system in Kerberos service tickets for single sign-on (SSO) requested by users. The SAP system has SNC configured with the service principal's credentials as described in steps 1 to 27 of this related blog post.
3. SAP GUI processes the SNC-protected logon to the SAP system with SAP Secure Login Client (SLC). This requires a new Kerberos service ticket (ST) from the DC for Jane to single sign-on to the SAP system. Without PA, SLC would bypass Entra ID and request the ST for the SAP system from the DC with a Kerberos ticket-granting service request (TGS_REQ) message.
4. With PA, the locally installed GSA client intercepts the SNC connection on port 3200 based on filter rules, called application segments, defined by GSA applications registered in the Entra ID tenant. These GSA apps represent the resources on the corporate network and control access to those internal apps by specifying the IP address or full-qualified domain name (FQDN), port number and transport layer protocol (TCP or UDP) of the network traffic that you want to intercept with PA. To secure SNC traffic to the SAP system A4H in figure 1, the GSA administrator registers the corresponding enterprise application SAP A4H with an application segment for its IP address 192.168.99.1, SNC port number 3200, and TCP as the transport protocol. The SAP A4H enterprise application is also configured as the target resource in the CA policy that enforces MFA for Jane Smith when she accesses this system. All Kerberos-related traffic (ports 88, 389, 464 and 123) to the DC (IP address 192.168.99.10) using transport protocols TCP and/or UDP gets intercepted based on the application segments defined by the second enterprise application in this scenario, "Domain Conroller". All segments from "SAP A4H" and "Domain Controller" are published to the GSA client(s) on the corporate workstation(s) as the GSA forwarding profile that gets synchronized regularly by a local policy retrieval service.
5. The GSA client forwards the SNC connection request via Entra PA service to the Entra ID tenant for authentication. With Entra Cloud Sync, Jane's corporate user account and password hash in AD are securely synchronized to the Cloud, and she can SSO with her hybrid identity to her tenant from her hybrid-joined device.
6. Upon successful authenication, Entra enforces the second authentication factor as defined by a CA policy that has the Global Secure Access application for the SAP A4H system defined as its target resource, and has a grant control set to Passwordless MFA which trigger MFA for every new login request to the SAP system.
7. GSA client opens a new browser window on Jane's workstation to start the MFA process using passwordless sign-in from Jane's Authenticator app on her mobile device. 
8. Entra shows a message in the browser window that asks Jane to tap a number in her Authenticator app and complete the sign-in process by providing her PIN or biometric. No username or password is asked for at any time in the authentication flow. 
   Note: Jane authenticated at her hybrid-joined workstation in step 1 with her corporate username and password. If she would have used a stronger authentication method such as Windows Hello for Business that uses biometric data, Entra CA would consider this as strong enough and would not re-enforce authentication with Jane's Authenticator app.
9. Entra reports the successful completion of the MFA sign-in process back to the GSA client.
10. SLC requests the ST for the SAP system with an TGS_REQ Kerberos message to the DC's Ticket Granting Service (TGS) on port 88, which gets also intercepted by the GSA Client based on application segments defined by the "Domain Controller" enterprise application. 
11. GSA Client forwards the Kerberos TGS request to Entra PA.
12. Since MFA has already been enforced and successfully completed by the previous SNC request, no further intervention from Entra CA is needed. Instead, Entra PA forwards the TGS request to the DC on the corporate network via the Entra private network connector. This agent establishes a secured tunnel from the corporate network over ports 80 and 443 to the Entra PA service and routes the in- and outbound network traffic to all private resources defined by the Global Secure Access enterprise applications. Similar to the SAP Cloud Connector, there is no need to open inbound ports through the corporate firewall because traffic flows both ways once the connection is established. For a test setup, one connector instance on the DC is sufficient. However, in a complex production landscape with more on-premise apps, multiple connector instances can be organized into connector groups for high availability and load balancing, with each group handling traffic to specific applications.
13. Entra private network connector forwards the TGS request for Jane's SAP Kerberos ticket to the TGS on the DC. It replies with a TGS_REP Kerberos response containing the ticket (for more details on the Kerberos protocol, see also this related blog post)
14. The TGS_REP message gets forwarded to the SLC via Entra PA and the GSA Client.
15. With the Kerberos ticket, SAP GUI and SLC can establish the SNC connection and single sign-on user Jane to the SAP system.
16. Again, all traffic from the GSA client-controlled workstation on port 3200 is routed via Entra PA service and the private network connector on the DC.
17. Entra private network connector routes SNC communication to the SAP system where Jane can be single signed-on. This requires that Jane's user name in the Kerberos ticket (jsmith@corp.bestrun.com) is correctly mapped to her SAP user account (JSMITH).

Prerequisites

Similar to part I of this blog series, the following prerequisites should be met before starting to implement this scenario:

• A Microsoft Entra ID P1 or P2 or Entra Suite tenant with an administrative user assigned to the Entra built-in roles Conditional Access Administrator, Security Administrator, or Global Administrator. The domain name of the Entra tenant used in this tutorial is bestruncorp.onmicrosoft.com. If you can get a free P2 trial tenant with a Microsoft 365 Developer license.
• A valid license for Microsoft Entra Private Access. You can request a 30-day trial license through the Microsoft 365 admin center.
• A valid SAP license for enabling SNC-based SSO on the backend system and using SLC on the user's workstation
• A non-administrator account used for testing the scenario. In this tutorial, Jane Smith has the account with user name jsmith@corp.bestrun.com in AD, jsmith@bestruncorp.onmicrosoft.com in Entra ID, and JSMITH in the SAP system. 
• Administrative access to an SAP Application Server ABAP for testing the scenario. The system should be configured for SNC following steps 1 to 27 as described in this related tutorial. If you don't have a development system available you can easily setup one with the ABAP Cloud Developer Trial on Docker.
• Administrative access to an AD DC and a domain-joined workstation for simulating the corporate network. In my lab environment used for this tutorial, both systems run as Hyper-V VMs and are configure according to the table below:

System	Configuration
Domain Controller (DC)	Windows Server 2019 or later Active Directory Domain Services (AD DS role). Installing the AD DS role and promoting a Windows Server to a domain controller is documented here. The domain name used in this tutorial is corp.bestrun.com (NetBIOS: CORP), but you can also choose any other name. Microsoft Entra Cloud Sync: Follow these steps to download and install the on-premises agent on the DC and enable password writeback for cloud sync.
Workstation	Windows 10 Pro or later, hybrid-joined SAP GUI 7.60 or later SAP Secure Login Client 3.0

The GSA on-prem software components, the Microsoft Entra Private Network Connector and the Global Secure Access client, will be installed on the DC and workstation in the following steps.

Ready? Then let's get started with activating PA for the Entra tenant 🚀

Activate Entra Private Access

 

Step	Description	Screenshot
1.1	Login as the administrator to the Domain Controller
1.2	Open to the Entra Admin Center at https://entra.microsoft.com and login as the tenant administrator. Select Global Secure Access from the navigation menu. Click the Activate button. Wait for the message that your tenant onboarding has completed successfully.
1.3	Select Connect -> Traffic Forwarding from the navigation menu. Activate the switch for the Private access profile.
1.4	Confirm the dialog box with OK.

 

Install the Entra Private Network Connector

Upon successful activation of the PA profile in the tenant, download and install the Microsoft Entra Private Network Connector on the DC. The DC acts as the connector server for the PA service in this scenario. It runs the private network connector which you will download and install in the following steps for tunneling Kerberos and SNC network traffic to the SAP system and the DC.

Step	Description	Screenshot
2.1	Select Connect -> Connectors from the navigation menu. Click the Download connector service button.
2.2	Accept the terms to start the download.
2.3	Double-click the download file (MicrosoftEntraPrivateNetworkConnectorInstaller.exe) to start the installation of the Private network connector. Activate the checkbox to accept the license terms and click Install.
2.4	During the installation process you will be asked to login to your Entra ID tenant. Login as the tenant administrator.
2.5	After completion of the connector installation click Restart.
2.6	After the DC has restarted, login to the Entra Admin Center as the tenant administrator. Select Global Secure Access -> Connect -> Connectors to verify the status of the newly installed connector. It should be assigned to the Default connector group and in state Active.

 

Install the Global Secure Access client

Continue the GSA setup by installing the Global Secure Access client on the user's workstation. For an automated deployment of the client in a larger production landscape, see the instructions here. 

Step	Description	Screenshot
3.1	Login as user Jane Smith (JSMITH) to the corp.bestun.com (CORP) domain from the workstation.
3.2	Open to the Entra Admin Center and login as the tenant administrator. Select Global Secure Access -> Connect -> Client download from the navigation menu. Click Download Client for Windows 10/11.
3.3	Run the GlobalSecureAccessClient.exe installer. Activate the license terms and conditions checkbox and click Install. Installing the GSA client requires local administrator rights.
3.4	Upon successful installation, click Sign in.
3.5	Login to GSA with your test user's Entra ID account (e.g. jsmith@bestruncorp.onmicrosoft.com)

 

Configure SAP for Private Access

Upon successful installation of the required software components in the corporate network, it is now time to configure the first GSA application representing the SAP system on-premise, and add the required application segment to it for SNC. You also need to grant access to the test user by assigning Jane Smith to the app.

Step	Description	Screenshot
4.1	As the tenant admin in the Entra Admin Center (https://entra.microsoft.com), go to Global Secure Access -> Applications -> Enterprise applications in the navigation menu. Click New application.
4.2	Enter a name for the new Global Secure Access application, for example "SAP A4H". Click Add application segment.
4.3	Enter the following settings for the new application segment: Destination type: IP address IP address: The IP address of the SAP system in the corporate network, for example 192.168.99.1 Ports: 32<NN>. Replace <NN> with the instance number of your SAP system, for example 3200 Protocol: TCP Click Apply.
4.4	Click Save.
4.5	Click on Global Secure Access -> Applications -> Enterprise applications in the navigation menu. Click on the name to select the newly created Global Secure Access application "SAP A4H" from the list.
4.6	Select Users and groups from the navigation menu. Click Add user/group.
4.7	Click None Selected.
4.8	In the Search field, enter the name of your test user, e.g. Jane Smith, and select the user from the results by activating the checkbox. Click Select.
4.9	Click Assign.

 

Configure Kerberos for Private Access

Continue with the application setup for Entra PA by adding the "Domain Controller" GSA enterprise app to intercept Kerberos traffic to the DC.

Step	Description	Screenshot
5.1	Click on Global Secure Access -> Applications -> Enterprise applications in the navigation menu. Click New application.
5.2	Enter a name, for example "Domain Controller". Click Add application segment.
5.3	Enter the following settings for the new application segment: Destination type: IP address IP address: The IP address of the DC in the corporate network, for example 192.168.99.10 Ports: 88 Protocol: Select TCP and UDP Click Apply.
5.4	Repeat the previous step for the following three application segments, which have all the destination type "IP address" and same IP address (your DC's address, e.g. 192.168.99.10): Ports: 389, Protocol: UDP Ports: 464, Protocol: TCP and UDP Ports: 123, Protocol: UDP Click Save.
5.5	Click on Global Secure Access -> Applications -> Enterprise applications in the navigation menu. Click on the name to select the newly created Global Secure Access application "Domain Controller" from the list.
5.6	Select Users and groups from the navigation menu. Click Add user/group.
5.7	Click None Selected.
5.8	In the Search field, enter the name of your test user, e.g. Jane Smith, and select the user from the results by activating the checkbox. Click Select.
5.9	Click Assign.

 

Configure MFA for SAP GUI with Entra Conditional Access

Setup MFA for the user in Entra by creating a CA policy and assigning it to the "SAP A4H" GSA application for the SAP system.

Step	Description	Screenshot
6.1	Select Global Secure Access -> Applications -> Enterprise applications from the navigation menu. Click on the name to select the newly created Global Secure Access application "SAP A4H" from the list.
6.2	From the enterprise application navigation menu, select Security -> Conditional Access.
6.3	Click New policy.
6.4	Enter a name for the new policy, for example "SAP GUI MFA", and click on the link in the Users section.
6.5	Activate the checkbox for Users and groups
6.6	In the Search field, enter the name of your test user, e.g. Jane Smith, and select the user from the results by activating the checkbox. Click Select.
6.7	Click on the link in the Access controls -> Grant section.
6.8	Keep the default selection for Grant access, and activate the checkbox for Require authentication strength. From the drop-down box, select Passwordless MFA. Click Select.
6.9	Switch to On in the Enable policy options. Click Create.

 

Enable private DNS for Kerberos SSO

To support SSO with Kerberos, the GSA client must be able to resolve internal (private) DNS names with the corporate domain suffix (corp.bestrun.com in this setup). 

Step	Description	Screenshot
7.1	Run the command ipconfig /all on the DC or workstation host to find the DNS suffix for your corporate network. Copy the value (here corp.bestrun.com) of Primary Dns suffix from the output.
7.1	Select Global Secure Access -> Applications -> Quick Access from the navigation menu. Switch to the Private DNS tab. Activate the Enable Private DNS checkbox and click Add DNS suffix.
7.2	Paste the DNS suffix from step 7.1 for your corporate network in the DNS suffix field. Click Add.
7.3	Select Users and Groups from the navigation menu.
7.4	Click None Selected.
7.5	In the Search field, enter the name of your test user, e.g. Jane Smith, and select the user from the results by activating the checkbox. Click Select.
7.6	Click Assign.

 

Setup MFA with Phone Sign-in for the test user

Since you selected the Passwordless MFA option for the Required authentication strength in the previously created Conditional Access policy, you now need to setup the test user's account accordingly. The following steps assume that there is no MFA authentication methods registered yet for the user. If so, make sure that Phone Sign-In is activated in the user's Authenticator app. Otherwise just follow the next steps. 

Step	Description	Screenshot
8.1	As the test user on the workstation, login to the My account portal at https://myaccount.microsoft.com. On the Security info tile, click UPDATE INFO.
8.2	Click Add sign-in method.
8.3	Select Authenticator app from the drop-down list. Click Add.
8.4	Click Next.
8.5	Click Next.
8.6	On the user's phone, launch the Authenticator app. Click + to add a new account.
8.7	Select Work or school account. Click Scan QR code.
8.8	Scan the QR code displayed in the My access portal with your device camera.
8.9	Go back to the My access portal. Click Next.
8.10	A random number is shown in the My access portal to approve the new account.
8.11	A notification will pop-up in the Authenticator app. Enter the number shown in the previous step. Click Yes.
8.12	Upon successful approval, click Next.
8.13	Select the newly added account in the Authenticator app. Select Enable phone sign-in from the menu.
8.14	Click Continue.
8.15	Enter your test users domain password to authenticate with the Entra ID tenant. Click Sign in.
8.16	Entra ID login will show a random number. A few seconds later, the notification from the Authenticator app will pop-up. Enter the number and click Yes.
8.17	You have successfully enabled password-less MFA with phone sign-in for your test user's account.

 

SNC mapping for the user in the SAP system

Similar to Certificate-based SSO with SNC in part I of the blog series, Kerberos-based SSO to the SAP system also requires a mapping of the SAP user account to the user's name in the corporate domain.

Step	Description	Screenshot
9.1	Login to the SAP backend with your SAP administrator user (e.g. DEVELOPER if you are using the Docker image). Go to User Maintenance (SU01). Enter your test user's name (e.g. JSMITH). Click Create User (F8) if the user account doesn't exist. Otherwise, click Change (Shift+F6), and continue with step 9.4.
9.2	Enter the Last Name and First Name on the Address tab. Switch to the Logon Data tab.
9.3	Enter a Password for the new user.
9.4	Switch to the SNC tab. In the SNC name field, enter your test user's name in the corporate AD domain following the format "p:CN=<user@domain-dns-suffix>", e.g. "p:CN=JSMITH@CORP.BESTRUN.COM". Click Save.

 

Test the scenario

You are now ready to verify the scenario 🚀!

Step	Description	Screenshot
10.1	Login as the test user jsmith to the local domain (CORP) on the workstation.
10.2	Hover over the GSA system tray icon to check that the status is "connected".
10.3	Right-click on the GSA system tray icon and select Advanced diagnostics from the context menu.
10.4	Switch to the Health check tab. Ensure that the status bar shows that All checks are successful.
10.5	Switch to the Forwarding profile tab and expand the Private access rules section. Check that all rules defined by the application segments of the "SAP A4H" and "Domain Controller" GSA enterprise applications were synchronized by the local GSA policy retrieval service. You also see additional rules for tunneling DNS on port 53 based on your Private DNS settings.
10.6	Switch to the Traffic tab. Click Start collecting to record a trace of the intercepted SNC, Kerberos and DNS network traffic from the local workstation to the Entra PA service.
10.7	Start the SAP Logon Pad.  Right-click on your connection entry for the SAP system. Select Properties from the context menu.
10.8	Switch to the Network tab. Activate the checkbox for Activate Secure Network Communication. Enter the SNC Name of your SAP backend. The name can be looked up on the backend with transaction RZ10 and the profile parameter snc/identity/as. Choose Maximum security settings available. Click OK.
10.9	Right-click on the connection entry for the SAP system and select SNC Logon with Single Sign-On.
10.10	SAP GUI now starts to establish the SNC connection, which gets intercepted by the GSA client (step 3 & 4 in figure 1) that requires the user to complete the multi-factor authentication process. On the Global Secure Access Client window, click Sign in.
10.11	In the Entra ID login page, enter your test user's corporate password. Click Sign in.
10.12	Entra Conditional Access now requires the second factor by prompting the user to enter the number shown on the login page in her Authenticator app on the mobile phone.
10.13	The Authenticator app opens on the mobile phone. Upon successfully unlocking the app (e.g. with Face ID), the user has to enter the number shown in the previous step. Click Yes.
10.14	The login process completes and the test user is successfully single signed-on to the SAP system.
10.15	To see the network traces, go back to the GSA Advanced diagnostics window. The Traffic tab shows the recorded network traffic over the tunneled connections to the DC (port 88) and the SAP system (port 3200). With the user logged on in SAP GUI, the Connection status of the the tunneled SNC connection is still Active.

Congratulations on completing the tutorial for SAP GUI MFA with Entra Private Access 🏆🥇!