How to configure App Proxy connectors for Microsoft Entra Private Access

Connectors are lightweight agents that sit on-premises and facilitate the outbound connection to the Global Secure Access service. Connectors must be installed on a Windows Server that has access to the backend application. You can organize connectors into connector groups, with each group handling traffic to specific applications. To learn more about connectors, see Understand Microsoft Entra application proxy connectors.

Prerequisites

To add an on-premises application to Microsoft Entra ID you need:

• The preview requires a Microsoft Entra ID P1 license. If needed, you can purchase licenses or get trial licenses.
• An Application Administrator account.

User identities must be synchronized from an on-premises directory or created directly within your Microsoft Entra tenants. Identity synchronization allows Microsoft Entra ID to pre-authenticate users before granting them access to App Proxy published applications and to have the necessary user identifier information to perform single sign-on (SSO).

Windows server

To use Application Proxy, you need a Windows server running Windows Server 2012 R2 or later. You'll install the Application Proxy connector on the server. This connector server needs to connect to the Application Proxy services in Azure, and the on-premises applications that you plan to publish.

• For high availability in your environment, we recommend having more than one Windows server.
• The minimum .NET version required for the connector is v4.7.1+.
• For more information, see App Proxy connectors.
• For more information, see Determine which .NET framework versions are installed.

Prepare your on-premises environment

Start by enabling communication to Azure data centers to prepare your environment for Microsoft Entra application proxy. If there's a firewall in the path, make sure it's open. An open firewall allows the connector to make HTTPS (TCP) requests to the Application Proxy.

Important

If you are installing the connector for Azure Government cloud follow the prerequisites and installation steps. This requires enabling access to a different set of URLs and an additional parameter to run the installation.

Open ports

Open the following ports to outbound traffic.

Port number	How it's used
80	Downloading certificate revocation lists (CRLs) while validating the TLS/SSL certificate
443	All outbound communication with the Application Proxy service

If your firewall enforces traffic according to originating users, also open ports 80 and 443 for traffic from Windows services that run as a Network Service.

Allow access to URLs

Allow access to the following URLs:

URL	Port	How it's used
*.msappproxy.net *.servicebus.windows.net	443/HTTPS	Communication between the connector and the Application Proxy cloud service
crl3.digicert.com crl4.digicert.com ocsp.digicert.com crl.microsoft.com oneocsp.microsoft.com ocsp.msocsp.com	80/HTTP	The connector uses these URLs to verify certificates.
login.windows.net secure.aadcdn.microsoftonline-p.com *.microsoftonline.com *.microsoftonline-p.com *.msauth.net *.msauthimages.net *.msecnd.net *.msftauth.net *.msftauthimages.net *.phonefactor.net enterpriseregistration.windows.net management.azure.com policykeyservice.dc.ad.msft.net ctldl.windowsupdate.com www.microsoft.com/pkiops	443/HTTPS	The connector uses these URLs during the registration process.
ctldl.windowsupdate.com www.microsoft.com/pkiops	80/HTTP	The connector uses these URLs during the registration process.

You can allow connections to *.msappproxy.net, *.servicebus.windows.net, and other URLs above if your firewall or proxy lets you configure access rules based on domain suffixes. If not, you need to allow access to the Azure IP ranges and Service Tags - Public Cloud. The IP ranges are updated each week.

Important

Avoid all forms of inline inspection and termination on outbound TLS communications between Microsoft Entra application proxy connectors and Microsoft Entra application proxy Cloud services.

Install and register a connector

To use Private Access, install a connector on each Windows server you're using for Microsoft Entra Private Access. The connector is an agent that manages the outbound connection from the on-premises application servers to Global Secure Access. You can install a connector on servers that also have other authentication agents installed such as Microsoft Entra Connect.

Note

Setting up App Proxy connectors and connector groups require planning and testing to ensure you have the right configuration for your organization. If you don't already have connector groups set up, pause this process and return when you have a connector group ready.

The minimum version of connector required for Private Access is 1.5.3417.0. Starting from the version 1.5.3437.0, having the .NET version 4.7.1 or greater is required for successful installation (upgrade).

To install the connector:

1. Sign in to the Microsoft Entra admin center as a Global Administrator of the directory that uses Application Proxy.

   • For example, if the tenant domain is contoso.com, the admin should be admin@contoso.com or any other admin alias on that domain.

2. Select your username in the upper-right corner. Verify you're signed in to a directory that uses Application Proxy. If you need to change directories, select Switch directory and choose a directory that uses Application Proxy.

3. Browse to Global Secure Access (preview) > Connect > Connectors.

4. Select Download connector service.

   

5. Read the Terms of Service. When you're ready, select Accept terms & Download.

6. At the bottom of the window, select Run to install the connector. An install wizard opens.

7. Follow the instructions in the wizard to install the service. When you're prompted to register the connector with the Application Proxy for your Microsoft Entra tenant, provide your Global Administrator credentials.

   • For Internet Explorer (IE): If IE Enhanced Security Configuration is set to On, you may not see the registration screen. To get access, follow the instructions in the error message. Make sure that Internet Explorer Enhanced Security Configuration is set to Off.

Things to know

If you've previously installed a connector, reinstall it to get the latest version. When upgrading, uninstall the existing connector and delete any related folders. To see information about previously released versions and what changes they include, see Application Proxy: Version Release History.

If you choose to have more than one Windows server for your on-premises applications, you need to install and register the connector on each server. You can organize the connectors into connector groups. For more information, see Connector groups.

If you have installed connectors in different regions, you can optimize traffic by selecting the closest Application Proxy cloud service region to use with each connector group, see Optimize traffic flow with Microsoft Entra application proxy.

Verify the installation and registration

You can use the Global Secure Access portal or your Windows server to confirm that a new connector installed correctly.

Verify the installation through the Microsoft Entra admin center

To confirm the connector installed and registered correctly:

1. Sign in to the Microsoft Entra admin center as a Global Administrator of the directory that uses Application Proxy.

2. Browse to Global Secure Access (preview) > Connect > Connectors

   • All of your connectors and connector groups appear on this page.

3. View a connector to verify its details.

   • Expand the connector to view the details if it's not already expanded.
   • An active green label indicates that your connector can connect to the service. However, even though the label is green, a network issue could still block the connector from receiving messages.

   

For more help with installing a connector, see Problem installing the Application Proxy Connector.

Verify the installation through your Windows server

To confirm the connector installed and registered correctly:

1. Select the Windows key and enter services.msc to open the Windows Services Manager.

2. Check to see if the status for the following services Running.

   • Microsoft Entra application proxy Connector enables connectivity.
   • Microsoft Entra application proxy Connector Updater is an automated update service.
   • The updater checks for new versions of the connector and updates the connector as needed.

   

3. If the status for the services isn't Running, right-click to select each service and choose Start.

Create connector groups

To create as many connector groups as you want:

1. Browse to Global Secure Access (preview) > Connect > Connectors.
2. Select New connector group.
3. Give your new connector group a name, then use the dropdown menu to select which connectors belong in this group.
4. Select Save.

To learn more about connector groups, see Publish applications on separate networks and locations using connector groups.

Terms of Use

Your use of the Microsoft Entra Private Access and Microsoft Entra Internet Access preview experiences and features is governed by the preview online service terms and conditions of the agreement(s) under which you obtained the services. Previews may be subject to reduced or different security, compliance, and privacy commitments, as further explained in the Universal License Terms for Online Services and the Microsoft Products and Services Data Protection Addendum (“DPA”), and any other notices provided with the Preview.

Next steps

The next step for getting started with Microsoft Entra Private Access is to configure the Quick Access or Global Secure Access application:

• Configure Quick Access to your private resources
• Configure per-app access for Microsoft Entra Private Access