You must also ensure that client machines run Windows 10 or higher and that they are Microsoft Entra joined or hybrid joined devices. Client machines must also have line of sight to the private resources and domain controller. In other words, the user must be within the corporate network, accessing on-premises resources.
For firewall rules, you must open inbound TCP port 1337 in the Windows Firewall on the domain controllers. You must also identify the Service Principal Names (SPNs) of the private apps you want to protect and add them to the Private Access Sensors policy installed on the domain controllers.
Microsoft recommends testing this functionality with your private app first. You can enforce MFA to the domain controller by using the private app’s SPN, but doing so at a later stage may help you avoid any admin lockout issues, Microsoft reports.
