Share via

Microsoft Entra Private Access - Clarification needed please

Karthik Palani 20 Reputation points
26 Feb 2025, 6:48 am

Hi All,

I would like to get the advise on Microsoft Entra private access, in which i want to replace our current VPN solution with MS. Few questions i would like to clarify,

  • No devices is onboarded to Microsoft Intune and we are using only MAM policy for BYOD. In this condition, how can i check if the device is part of local domain? Can i use Conditional access policy?
  • We have CA certificate which need to be validated on the device before allowing in to the network?
  • We have third part Symantec/Sentinel One solution, Any high or medium threat should block it? Does conditional access policy, user risk does this since its third party solution and not a defender?
  • I want to check if right anti malware version is available before allowing the device?
  • I have on prem SharePoint and file servers, how the user will get access to it? Just i need to create application group? Please clarify?

Kindly advise

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,437 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Kancharla Saiteja 945 Reputation points Microsoft External Staff
    26 Feb 2025, 9:54 am

    Hi Karthik Palani,

    Thank you for posting your query on Microsoft Q&A. I am Saiteja from Q&A will be assisting you with your query.

    Based on your queries, here is the required information:

    Microsoft Entra Private Access mostly works with IP addresses, VPN and applications. We have two types of access, Quick access and per app access.

    When your device is not onboarded with Intune, you can configure Quick access with IP addresses and FQDN's.

    • IP address:
      • Internet Protocol version 4 (IPv4) address, such as 192.168.2.1, that identifies a device on the network.
      • Provide the ports that you want to include.
    • Fully qualified domain name (including wildcard FQDNs):
      • Domain name that specifies the exact location of a computer or a host in the Domain Name System (DNS).
      • Provide the ports to include.
      • Wildcard FQDNs must be specified in the format *.contoso.com

    You can find more details of Quick Access configuration using this document.

    Microsoft Entra private access identifies the device using the above details itself, it will not detect the certificate on your device.

    The sign in risks of the user, can be configured from conditional access policy. This conditional access policy can block or request for MFA for user based on the risk type. You can follow the document specified here.

    Checking the anti-malware version application before onboarding the device is not available. But we do have Application discovery to manage and view which user is accessing which application and based on which you can configure access accordingly.

    Microsoft Entra Private Access secures the cloud entities, resources and private application. If on-premises SharePoint has an object configured in Cloud, it can be secured using Quick access and per app access as well. If your server is configured in Azure as a VM there will be chance to secure it using Microsoft Entra Private access.

    Here is the Microsoft document, which talks about Entra private access and key features: https://learn.microsoft.com/en-us/entra/global-secure-access/overview-what-is-global-secure-access

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment"


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.