![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 44%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJO%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra Private Access
Providing secure, identity-based access to private apps and resources without traditional VPNs
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 74%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAZ%3C/text%3E%3C/svg%3E)
A few months ago, I was working on a project where we needed to give users external access to an SFTP server that only trusted our office’s public IP. We tried using Entra Private Access for it, and we ran into the same roadblock.
Even though the connector handles the private routing, it doesn’t anchor or NAT the outbound traffic to the connector’s IP. The SFTP server still sees the user’s actual device IP, which means anything that depends on a fixed whitelisted public IP will continue to block the connection.
Entra Private Access doesn’t work like a full-tunnel VPN or a public-facing NAT gateway, so it cannot mask the user’s IP for external systems.
If the SFTP service must see a single static public IP, the practical options are to keep using your office VPN, route users through an Azure jump host or VM with a static IP you can whitelist, or move the SFTP endpoint behind your internal network so it truly becomes a private app. Private Access is great for internal resources, but it will not change the source IP for public-facing workloads.