Entra Private Connector - Default region NA and greyed out

Gareth Vorster 21

Good day,

I need some advice or assistance with regards to Entra Private Connectors, we have done a deployment and everything is working however because of the region its a little slower than it should be.

We are based in EMEA however the default connector is set to NA and is greyed out, I have removed all apps and connectors from the default connector however I am still not able to change the region.
User's image

I have also tried to create a second connector group and have added this to the Europe region however when I try to add the applications to the group, it does not appear in the list.

User's image Any suggestions would be greatly appreciated as I am not sure why this does not want to work.
We are looking to get away from traditional VPN for the ZTNA configuration and if we cannot get this working with Microsoft then we will need to look at another partner like zScaler.

Kind regards,
Gareth Vorster

Gareth Vorster 21

So just to add to this I did some checks in powershell and am seeing the below. The issue here is that my tenant in in Europe I have confirmed this in multiple places but this is still showing these connectors on in North America? The custom connector I created shows as eur but I cannot see it listing on the applications? PS C:\WINDOWS\system32> Get-MgBetaOnPremisePublishingProfileConnectorGroup -OnPremisesPublishingProfileId applicationProxy | FL

Applications         : 
ConnectorGroupType   : passthroughAuthentication
Id                   : 3c4aae4d-2e2a-xxxxxxxxxxxx
IsDefault            : False
Members              : 
Name                 : Default group for Pass-through Authentication
Region               : nam
AdditionalProperties : {}
Applications         : 
ConnectorGroupType   : syncFabric
Id                   : a7fa412c-024b-xxxxxxxxxxxx
IsDefault            : False
Members              : 
Name                 : Default group for AD Sync Fabric
Region               : nam
AdditionalProperties : {}
Applications         : 
ConnectorGroupType   : applicationProxy
Id                   : f9f994d5-d3f4-xxxxxxxxxxxx
IsDefault            : False
Members              : 
Name                 : GSA
Region               : eur
AdditionalProperties : {}
Applications         : 
ConnectorGroupType   : syncFabric
Id                   : 3a72359e-737a-xxxxxxxxxxx
IsDefault            : False
Members              : 
Name                 : Group-DOMAIN-08737644-6bcd-xxxxxxxxxx
Region               : nam
AdditionalProperties : {}
Applications         : 
ConnectorGroupType   : exchangeOnline
Id                   : ced3a238-e8d9-xxxxxxxx
IsDefault            : False
Members              : 
Name                 : Default group for Exchange Online
Region               : nam
AdditionalProperties : {}
Applications         : 
ConnectorGroupType   : applicationProxy
Id                   : 76dcba2c-0568-xxxxxxxx
IsDefault            : True
Members              : 
Name                 : Default
Region               : nam
AdditionalProperties : {}

Really not sure where to go form here?

Any suggestions would be appreciated.

Kind regards, Gareth Vorster

Givary-MSFT 33,476 Reputation points Microsoft Employee

2024-10-14T09:35:45.4533333+00:00

@Gareth Vorster Apologies for the delayed response, let me check on the above mentioned ask and revert back, I also noticed you have opened a case # 2410100050001869 as well for the same.
Gareth Vorster 21 Reputation points

2024-10-14T09:40:51.2433333+00:00

@Givary-MSFT No problem, yes I have logged a ticket for it as we need to see if we can move off our current cloud proxy and move all our services to this before we have to renew the current solution. If I can get this issue resolved then we will be moving two of our solutions to this one and that will reduce our risk substantially. If you need anymore information please let me know as I can share this with you to assist in resolving the issue.

2 answers

Givary-MSFT 33,476 Reputation points Microsoft Employee

2024-10-14T09:55:48.9433333+00:00

@Gareth Vorster Thank you for reaching out to us, while researching on your issue came across this doc - https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-configure-connectors where it is mentioned - Microsoft Entra Private Access does not support multi-geo connectors. The cloud service instances for your connector are chosen in the same region as your Microsoft Entra tenant (or the closest region to it) even if you have connectors installed in regions different from your default region.

Multi Geo Connector group functionality is unsupported for the GSA Private Access Apps flow. To address this, you must create/select a connector group from the same Tenant location.

Let me know if you have any further questions, feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
Please sign in to rate this answer.
Gareth Vorster 21 Reputation points

2024-10-14T10:03:58.1833333+00:00

Hi Givary, I have seen this, however currently the way it is working it should not be according to that article. My tenant is located in the EMEA region, I have checked this on the Azure Portal and in 365 and I have the same results.

Givary-MSFT 33,476 Reputation points Microsoft Employee

2024-10-14T10:08:36.3466667+00:00

@Gareth Vorster Thank you for more details like where the tenant is located, let me check on this and revert back.

Givary-MSFT 33,476 Reputation points Microsoft Employee

2024-10-15T04:05:28.5666667+00:00

@Gareth Vorster Regarding this issue, checked with my engineering team and here is the update which I have - Entra Private Access backend doesn't have an Africa geo - South Africa is not an EU country and is not considered EU for us. Therefore, it defaults to the default region which is NA. Once we support multi geo (which is in development) and soon we will have this feature available too. Let me know if you have any further questions, feel free to post back.

Gareth Vorster 21 Reputation points

2024-10-15T05:23:32.05+00:00

Hi Givary, this is disappointing news as I stated we were looking to move multiple services to Microsoft for GSA. What I don't understand is my tenant is set in the EU so I cannot understand why it would set our region would be set to NA. Do you perhaps have a timeline for when multi-geo will be available, as I need to know if I will be able to get GSA into our budget or if I would need to move to another solution outside of Microsoft's offering?

Givary-MSFT 33,476 Reputation points Microsoft Employee

2024-10-15T09:03:34.7766667+00:00

@Gareth Vorster Completely understand your concern, let me check on this and revert back.

Gareth Vorster 21 Reputation points

2024-10-21T07:33:55.86+00:00

@Givary-MSFT have you perhaps got any more news for me regarding our case?
Today I wanted to continue testing and now I cannot set my connectors back to the default group?

Gareth Vorster 21 Reputation points

2024-10-21T07:34:16.74+00:00

Ray Leslie 5 Reputation points

2024-10-29T03:42:34.2433333+00:00

have the same issue, in South Africa and need to set the connector to EU, don't know why it's using North America. should be EU
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Gareth Vorster 21 Reputation points

2024-11-12T13:02:30.6266667+00:00

So this issue according to Microsoft cannot be fixed, so I am now going to have to look at solutions like zScaler or Netscope for ZTNA. For anyone else with this issue please note this, To get this working they need to implement Multi-Geo as it is right now if your MgBeta Graph setup is not in your tenant location then it will not allow you to add a connector to another region. What is odd is that my Tenant is EU/ZA for Azure and 365 but my graph is sitting in NA and cannot be moved according to the Microsoft engineer.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Entra Private Connector - Default region NA and greyed out

2 answers

Your answer