EntraID

Public Preview - GSA Private DNS Support

Alexander Appelby

05 Sep 2024 — 3 min read

Entra Private Access, which is Generally Available, already supports the TCP Protocol (e.g., RSP, SSH, SMB, etc.) and the UDP protocol (e.g., DFS, SMB, RDP). Now, with Private DNS support, network administrators can publish DNS suffixes from their internal network and naming structure to allow machines with the GSA client to resolve those names. This latest addition allows you to access IP-based app segments across private apps using FQDNs.

This means that you can publish internal resources and connect with local names.

To enable Private DNS and publish internal names, follow the below guide.

Go to GSA Quick Access in the Entra Portal
1. Use this Fast link to jump right to the section
Private DNS support for Microsoft Entra Private Access lets you query your resources FQDN, based on IP address published in the Application Segment. So in this example we have added our local IP subnet as application segment and published tcp port 3389 (RDP protocol)

Now Click on Private DNS tab, tick Enable Private DNS and add the DNS Suffix you want to publish.
It is important to note that the Connector you use, needs to be able to lookup FQDN of the resource it is trying to establish a connection to.

Normally it takes about 10-15 minutes to propagate.

To verify this is enabled and configured, open Advanced Diagnostics option from the GSA client

Click on Forwarding profile tab and expand Privat DNS Rules.
Here you will see the published domain suffix.

Now in this example, when you try to access the server on RDP by FQDN.
Private Access will recognize it should acquire the DNS query and send it to the connector to be resolved to an IP. The RDP client gets the IP and try to connect. Again Private Access recognizes that this is an IP and port combination where it should acquire traffic and send it to the connector.

Additionally, admins can now configure Kerberos Authentication to Domain Controllers, with Private DNS, allowing for a single sign on experience to access Kerberos resources. Detailed public documentation to configure Kerberos SSO authentication via Entra Private Access, linked below

Useful links:

Reminder: Client SMTP Submissions with Basic Auth in Exchange Online to Be Deprecated in September 2025

In April 2024, Microsoft dropped a big announcement: Client SMTP submissions using Basic authentication in Exchange Online will be deprecated by September 2025. If your apps, devices, or email clients rely on this method to send emails, it’s time to start planning a switch. Basic auth—where credentials are

New Exchange Online Tenant Outbound Email Limits

What You Need to Know About TERRL Exchange Online users! Big news from Microsoft: they’re rolling out a fresh set of rules to keep the email highways running smoothly. Starting soon, Microsoft is introducing tenant-level outbound email limits called the Tenant External Recipient Rate Limit—or TERRL for short.

Edit multiple users at once

In early february 2025, Microsoft announced a new feature (Currently in public preview), that makes it easier for administrators to edit multiple users at once! The "Edit multiple users at once (Preview)" feature, currently in public preview, allows administrators to efficiently manage user profiles in bulk within the

Azure Site Recovery Agent installation fails

If you're attempting to set up Disaster Recovery (Preview) on your Azure Local (formerly Azure Stack HCI), you might encounter an issue where the ASR Agent fails, as shown below. This issue is caused by a known bug in Windows Defender Application Control (WDAC), which blocks the extension

Read more

Reminder: Client SMTP Submissions with Basic Auth in Exchange Online to Be Deprecated in September 2025

New Exchange Online Tenant Outbound Email Limits

Edit multiple users at once

Azure Site Recovery Agent installation fails