AZ-800 Administering Windows Server Hybrid Core Infrastructure Exam
Eager to master hybrid server management? Discover how to administer Windows Server Hybrid Core Infrastructure on Azure, setting your path towards the Microsoft Certified: Azure Hybrid Infrastructure Administrator Associate certification!
Practice Test
Intermediate
Practice Test
IntermediateImplement Microsoft Entra Private Access
Configure Private Access Connectors and Policies
Microsoft Entra Private Access provides a zero-trust approach to secure remote access for on-premises and private Azure resources. By deploying Private Access connectors, you create an encrypted tunnel that avoids exposing your network to the public internet. This solution helps reduce attack surfaces and ensures that only authorized users and devices can reach sensitive applications. Throughout this process, you’ll also set up Conditional Access policies to control who, when, and how resources are accessed.
Before installing connectors, prepare your on-premises environment by ensuring that outbound HTTPS traffic can reach Azure data centers. Open your firewall to allow TCP ports 80 and 443 for certificate checks and secure communication. If you’re using Azure Government cloud, you must also whitelist specific URLs and parameters unique to that environment. These steps are critical to avoid connectivity failures during and after the connector setup.
Installing and registering connectors requires meeting basic prerequisites on each Windows server: .NET Framework 4.7.1 or later and a minimum connector version (for example, 1.5.3417.0). You can obtain the connector installer from the Azure Marketplace, AWS Marketplace, or GCP Marketplace. Once installed, each connector establishes an outbound connection to the Global Secure Access service in Microsoft Entra, forming the backbone of your secure tunnel to private applications.
After deployment, configure network settings to maintain stable operations.
- Port 80 for downloading certificate revocation lists (CRLs)
- Port 443 for secure connector communication
Ensure TLS traffic is not intercepted by inline inspection or termination devices. To support high availability, group multiple connectors into connector groups through the Microsoft Entra admin center. Connector groups help distribute traffic and provide redundancy if one connector fails.
Finally, validate your configuration through the Microsoft Entra admin center and log analysis. Sign in as an Application Administrator and navigate to Global Secure Access > Connect > Connectors to check for a green status indicator. You can also use Windows Services Manager to verify that the Microsoft Entra private network connector service is running. To complete your setup, define user- and device-based access policies with Conditional Access and run test access scenarios. Reviewing logs and test results ensures that your policies are effective and that connectivity is reliable.
Conclusion
In this section, you learned how to deploy and register Microsoft Entra Private Access connectors, which form secure tunnels for on-premises applications. You prepared the environment by opening necessary ports and allowing required URLs, then installed connectors and grouped them for high availability. Configuring network settings and validating installation status in the Microsoft Entra admin center ensures a stable connection. Finally, you defined Conditional Access policies to control user and device access and used testing and log analysis to confirm compliance and connectivity. These steps together create a robust, zero-trust solution for accessing private resources.