Microsoft Entra Private Access, part of Microsoft Entra Internet Access and Private Access, uses the Global Secure Access client to establish a secure, encrypted tunnel from the user's device to the Microsoft Global Secure Access service.

 Microsoft Entra Private Access, part of Microsoft Entra Internet Access and Private Access, uses the Global Secure Access client to establish a secure, encrypted tunnel from the user's device to the Microsoft Global Secure Access service. This service then provides access to private resources. The communication between the client and the service is essential for the functionality.

To implement Microsoft Entra Private Access, the required ports focus on outbound connectivity from your on-premises environment to Microsoft's cloud services. Specifically:

• Outbound port 443 (HTTPS): This is essential for secure communication between the Entra Private Access Connector (deployed on-premises) and Microsoft Entra services. It handles authentication, policy updates, and encrypted traffic.

• Outbound port 80 (HTTP): While less critical, port 80 may be used for initial connectivity checks, certificate revocation checks (OCSP/CRL), or redirection to port 443. It is recommended to allow this for reliability.

Inbound ports are not required for Entra Private Access, as the connector initiates outbound connections to Microsoft.

Thus, the correct ports to enable are Outbound ports 80 and 443 only.

Explanation of options:

• ❌ Inbound port 443 only: Not required (inbound traffic is not initiated by Microsoft).

• ❌ Inbound ports 80 and 443 only: Incorrect (inbound is unnecessary).

• ❌ Outbound port 443 only: Incomplete (port 80 is recommended for auxiliary functions).

• ✅ Outbound ports 80 and 443 only: Correct (covers all outbound requirements).