Thanks and glad it was helpful!

Hi Rob, theres not a lot of Microsoft documentation on DNS with Entra Private access yet, maybe more will be available once out of preview. As long as your DNS IP config is correct on the client and pointing to your DNS servers. Under quick access in the Entra portal you can add in a Private DNS custom suffix. Inside the Entra SSE edge there is a DNS service for name resolution requests which resolve from the GSA client over the GSA tunnel.

Do you find the answer to this?

Thanks for your comment Len. Yes total game changer!

Yes Entra Private Access is an amazing quick solution without the complexity of a VPN! There is still a valid requirement for Application Proxy to secure remote access to on-premises web applications external URL or an internal application portal, as you state if not using Microsoft Entra joined or Microsoft Entra hybrid joined devices or the GSA client. Windows Hello for Business Entra joined devices authenticate to Microsoft Entra ID during sign-in and when the GSA client runs, users are prompted to sign in with their Microsoft Entra credentials if not already authenticated.

Hi thanks for your comment. 1. Devices have to be Microsoft Entra joined or Microsoft Entra hybrid joined. Microsoft Entra registered devices are not supported at this time. 2. MS Entra App Proxy connector requires a Windows Server 2012 R2 or later and yes it can be installed in any environment such as AWS, or GCP as long as that server has outgoing internet access on port 443 for the proxy.

Sweet ! @@CloudInspired so if i deploy a windows Server and install the App proxy Connector there , i can provide access to resources on AWS (Web apps/RDP/SSH) ?

Hi Kshitij, yes thats correct! The App provy connector can be installed anywhere (including a AWS Windows VM), as long as its located in the same network for services you are trying to access. Then you would open up ports for access Web/RDP/SSH etc to enable a secure connection to the required services. Implementing and configuring a complex VPN connection is now a thing of the past saving time and money!

Thanks and your welcome

Thanks Eddy!

Hi Alexis, thanks for your comment. The preview requires a Microsoft Entra ID P1 license and Administrators who interact with Global Secure Access preview features must have the Global Secure Access Administrator role. Check out the Prerequisites here learn.microsoft.com/en-us/entra/global-secure-access/how-to-get-started-with-global-secure-access .Also how to Set up connector server learn.microsoft.com/en-us/entra/architecture/sse-deployment-guide-private-access#deploy-and-test-microsoft-entra-private-access Anything in the Global Secure Access client logs? Troubleshoot issues in the Global Secure Access client for Windows learn.microsoft.com/en-us/troubleshoot/azure/entra/global-secure-access/troubleshoot-global-secure-access-client-windows-issues

Hi Vishnu, thanks for your comment. Authentication to domain controllers for kerberos ports 445, 135, 88 and DNS 53 should work as long as your DNS IP config is correct on the client and pointing to your DNS servers. Under quick access in the Entra portal you can add in a Private DNS custom suffix. Inside the Entra SSE edge there is a DNS service for name resolution requests which resolve from the GSA client over the GSA tunnel.

@@CloudInspired Hi, thanks for your response. as you suggested added local DC server name and IP in quick access, but still aunthication is not happening to reach file shares.

Hi Vishnu, any traffic logs on the client or portal which shows issues? Just to note Hello for Business and passwordless is not supported at this time as Entra Private Access is in preview. Entra ID Joined devices and Windows Hello for Business enabled devices must be logged into via the end-user's username and password to gain seamless access.

@@CloudInspired while accessing file share getting the system cannot contact a domain controller to service the authication request, pls try again later

Thanks Anderson, yes can be controlled via conditional access targeting the app.

Hi, can you confirm the prerequisites have been met. Specifically devices must be either Microsoft Entra joined or Microsoft Entra hybrid joined learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client#prerequisites

@@CloudInspired Sorry, i should've clarified our issue better. We use Windows Hello for Business to adopt passwordless strategy. Since our client machines are not passing credentials and are only using PIN/Biometrics, it seems this is where we run into the issue. We're not exactly sure how to get around this. If we're on the corporate network and get a kerberos ticket from a DC, we can then leave the network and use private access client and can connect to authenticated resources (like SMB) without issue - but when the ticket expires, we are unable to use that resource again when we use our WHfB/PIN Codes to login to machines.

Hi Matt, thanks for clarifying. Looks like Hello for Business and passwordless is not supported at this time as Entra Private Access is in preview. Entra ID Joined devices and Windows Hello for Business enabled devices must be logged into via the end-user's username and password to gain seamless access.Lets hope this something Microsoft add and support once out of preview!?

Hi Giorgio, thanks! The preview requires a Microsoft Entra ID P1 license. To use the Microsoft 365 traffic forwarding profile, a Microsoft 365 E3 license is recommended. A E5 license will cover all the above. Microsoft Licensing requirements might change after general availability.

​@@CloudInspired hi! Thanks for the answer! I have unlocked the microsoft entra Suite trial to test it. Now I have a problem the "Global Secure Access Client - disabled by your organization", I don't understand why the client don't function

@@CloudInspired I have configured the agent in 2 server for ridondancy, and after I have configured the "same" configuration like your demo. I have installed the client in my device AzureADJoined but I have the alert "Global Secure Access Client - disabled by your organization" and I can't nothing, can you help me? :/

Hi Ajith, do you mean use an existing VPN connection? I dont think that is possible at this time.

Hi Marc. The Global Secure Access Client is installed on Windows endpoints. These clients will connect to a Application Proxy installed on a Windows Server to enable all traffic to be tunnelled to Private Access destinations and protocols which are published. Therefore we can secure access to all private apps, resources and protocols from endpoints using a zero trust model. The demo shows an example of how you can add different IP address endpoints and protocals to the same app or you can configure multiple apps to split up each protocol or IP endpoint.

Yes, after a users signs in Global Access Client will auto connect showing a connected state.

Looks like we need a Microsoft Entra ID P1 license.

Thanks Regi for your comment! Entra Private Access is currently in Preview and currently the Global Secure Access Client is supported on 64 bit versions of Windows 10 or Windows 11. I expect for the future other client OS will be supported. Devices have to be Microsoft Entra joined or Microsoft Entra hybrid joined. Microsoft Entra registered devices are not supported at this time. Yes this is a good option to consider for replacing the legacy VPN with all the benefits of Zero Trust and of course Entra Internet Access with Microsoft 365 protecting against malicious internet traffic.

Yes correct the preview requires a Microsoft Entra ID P1 license. You can try a trial license for 30 days. Prerequisites and links for license are here learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client#prerequisites

I need to allow ports 135, 445, 88 and 53 for DNS for my file share to work. Also it seems slow but it's a preview

Hi Regi, those ports should work with entra private access. Interested to know what apps or services you are finding slow?

Hi, The Windows 10 Azure Entra-AD joined devices can use Entra Private access to connect to file servers in Azure. MS Entra App Proxy connector is required to be installed on a server in the network which requires access i.e on the Azure VNET where file servers are located. App Proxy server requires outgoing internet access on port 443 for the proxy. Would need to publish the required ports in Entra Private access for access... i.e SMB for file sharing and any others required. The preview requires a Microsoft Entra ID P1 license.