All posts tagged Security Service Edge

Entra Private Access and Bring Your Own Device (BYOD)

Microsoft Entra Private Access is a Zero Trust Network Access (ZTNA) solution that provides secure access to private enterprise resources. With the release of Global Secure Access (GSA) client version 2.26.108, Microsoft has addressed a crucial functionality gap by adding support for Bring Your Own Device (BYOD), enabling secure access from non-managed endpoints.

BYOD Support in Global Secure Access

Microsoft introduced BYOD support for Entra Private Access with the release of the GSA client version 2.26.108. This update allows the GSA client to be installed on Microsoft Entra-registered devices that are not domain-joined or managed by the organization, enabling secure access to private resources from personal or unmanaged endpoints.

Use Cases

BYOD support in GSA and Entra Private Access enables several common scenarios where network access from managed devices is impractical or unavailable, including:

  • Vendor or contractor access
  • IT incident response from unmanaged endpoints
  • Temporary or seasonal staffing
  • Collaboration with external partners

Replacing Legacy VPN for Ad Hoc Access

Historically, legacy VPN solutions were the primary option for providing ad hoc access to private resources from unmanaged devices. With the introduction of BYOD support in the GSA client, organizations can now extend Entra Private Access to these scenarios without deploying or maintaining a separate VPN infrastructure.

Additional Changes

In addition to adding BYOD support, GSA client v2.26.108 includes the following new enhancements.

  • Improved Intelligent Local Access (ILA) detection
  • Join Type displayed in the client interface
  • GSA traceroute enhancements, including a 50M MB speed test between the client and edge service.

Summary

BYOD support removes a key barrier to adopting Microsoft Entra Private Access. Organizations can now securely provide access to private resources using Zero Trust policies, even when users connect from unmanaged or personal devices, and without relying on legacy VPN solutions.

Additional Information

Microsoft Entra Private Access Bring Your Own Device (BYOD)

Microsoft Global Secure Access Client for Windows v2.26.108

Microsoft Entra Private Access Intelligent Local Access

Always On VPN vs. Entra Private Access

Leave a comment
by Richard M. Hicks on February 10, 2026  •  Permalink
Posted in authentication, Azure Active Directory, Azure AD, Azure AD Join, Azure Conditional Access, cloud, Cloud Service, Conditional Access, Enterprise, enterprise mobility, Entra Conditional Access, Entra Global Secure Access, Entra Private Access, Global Secure Access, GSA, ILA, Intelligent Local Access, Microsoft, Microsoft Entra, Microsoft Entra Global Secure Access, Microsoft Entra ID, Microsoft Entra Private Access, Mobility, Private Network Connector, public cloud, Remote Access, Secure Service Edge, Security, Security Service Edge, VPN, Windows 10, Windows 11, Zero Trust, Zero Trust Network Access, ZTNA
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 10, 2026

https://directaccess.richardhicks.com/2026/02/10/entra-private-access-and-bring-your-own-device-byod/

What’s New in Entra Global Secure Access Client v2.24.117

In early December 2025, Microsoft announced an update for the Entra Global Secure Access client. This latest release, v2.24.117, includes important changes that administrators will find helpful for efficient connectivity and enhanced troubleshooting.

Intelligent Local Access

The latest release of the Microsoft Entra Global Secure Access client adds support for Intelligent Local Access (ILA). ILA ensures optimal network connectivity when accessing published resources. ILA can detect when it is on a trusted network and send traffic directly to the resource, bypassing the cloud gateway to improve performance. Authentication and authorization are still required for application access regardless of location.

B2B Guest Access

B2B Guest Access, now in public preview, enables external partners to securely access an organization’s private resources using their own devices and home Microsoft Entra ID credentials, without credential duplication. Partners install the Global Secure Access client, sign in, and switch to the resource tenant, routing traffic via Private Access profiles for Conditional Access, MFA, and continuous evaluation. It supports BYOD and multitenant switching, requires guest user setup and specific client configurations in the resource tenant, and needs licensing only in the resource tenant. However, B2B Guest Access does not support Kerberos-based on-premises resources. More details here.

Traceroute

This latest release of the Entra Global Secure Access client also includes a new traceroute tool. GsaTracert.exe, located in the C:\Program Files\Global Secure Access Client\GSATracert\ folder, allows administrators to test connectivity to published resources and evaluate network response time and performance.

FQDN

Administrators can use GsaTracert.exe to validate connectivity to a resource using its fully qualified domain name (FQDN). When running the command, GsaTracert.exe reports the round-trip time (RTT) in milliseconds for each hop along the path, including the target resource. It will also indicate which point of presence (PoP) the client is currently connected to. The syntax to perform this test is:

.\GsaTracert.exe --host <fqdn:port>

For example:

.\GsaTracert.exe --host app1.lab.richardhicks.net:443

IP:Host

In addition to testing an FQDN, administrators can test individual resources using a combination of IP address and port number. The syntax to perform this test is:

.\GsaTracert.exe --host <ip:port>

For example:

.\GsaTracert.exe --host 172.16.0.254:22

Application ID

In addition to FQDN and IP:Port, administrators can also supply the application ID to test. However, since an application can include multiple IP addresses and/or ports, the measurement for backend resources is omitted when using this option. The syntax to perform this test is:

.\GsaTracert.exe --app-id <app ID>

For example:

.\GsaTracert.exe --app-id a8b914b-4143-4901-9fbb-09b61319d5a6

Note: You can find the application ID for a published application by opening the Entra admin center and navigating to Global Secure Access > Applications > Enterprise Applications. The application ID will be displayed on the Overview page of the published Enterprise application.

Speedtest

Administrators can use the –speedtest switch with any of the combinations above to test the endpoint’s Internet performance. The results are for the connection to the public Internet, not to the published resource.

Additional Features

The following new features are designed to improve the user experience for Global Secure Access users.

Disable Private Access

Administrators can now use a registry setting to show the Disable button, allowing users to disable Entra Private Access. Disabling Private Access is helpful when a device is on the internal network, and the user prefers to access resources directly rather than through Global Secure Access.

View Account

The new Global Secure Access client now includes a View Account link to the user’s Microsoft Entra My Account website.

Summary

The Microsoft Entra Global Secure Access Client v2.24.117 introduces several valuable enhancements for administrators and users alike. Key highlights include Intelligent Local Access for optimized performance on trusted networks, public preview support for B2B Guest Access enabling secure external collaboration without credential duplication, and the new GsaTracert.exe traceroute tool for detailed network diagnostics. Additional improvements, such as the ability to disable Private Access via registry settings and quick access to the My Account portal, further streamline management and troubleshooting. These updates reinforce Microsoft Entra Global Secure Access as a robust solution for secure, efficient resource connectivity.

Additional Information

Microsoft Entra Global Secure Access client v.2.24.117

Install the Entra Global Secure Access client for Microsoft Windows

Microsoft Entra Private Access Intelligent Local Access (ILA)

Preventing Port Exhaustion on Entra Private Network Connector Servers

Always On VPN vs. Entra Private Access: Choosing the Right Access Model for Your Organization

Leave a comment
by Richard M. Hicks on January 5, 2026  •  Permalink
Posted in Entra, Entra Global Secure Access, Entra ID, Entra Internet Access, Entra Private Access, Global Secure Access, GSA, Microsoft, Microsoft Entra, Microsoft Entra Global Secure Access, Microsoft Entra ID, Microsoft Entra Internet Access, Microsoft Entra Private Access, Security, Security Service Edge, SSE, Windows 10, Windows 11, Zero Trust, Zero Trust Network Access, ZTNA
Tagged , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 5, 2026

https://directaccess.richardhicks.com/2026/01/05/whats-new-in-entra-global-secure-access-client-v2-24-117/

Entra Private Access Channels Are Unreachable

Administrators deploying Microsoft Entra Private Access may encounter a scenario in which the Global Secure Access (GSA) agent reports an error. However, the client continues to work without issue, and all internal resources remain reachable via the Entra Private Access connection. This issue occurs only when the Private Access forwarding profile is enabled alone. It does not happen if the Microsoft traffic forwarding profile is also enabled.

GSA Status Error

When this happens, the Private access channel status is Connected, but the Entra access channel is Disconnected. Also, you will see the following error message when clicking on the GSA client in the notification area.

Some channels are unreachable

Global Secure Access has some channels that are unreachable

Health Check

To investigate further, click the Troubleshooting tab, then click Run tool in the Advanced diagnostics tool section. In the Health check section, you will see the following error message.

Diagnostic URLs were not found in forwarding policy

Scrolling down the list also reveals the following error messages.

Magic IP received = False

Tunneling succeeded Entra Authentication = False

Root Cause

Several months ago, Microsoft made changes to the health check probes that required enabling the Microsoft traffic forwarding profile to work. Some essential health-check probes were not accessible via the Private Access channel, resulting in the error messages shown above when only the Private Access forwarding profile is enabled.

Resolution

Microsoft is rolling out changes to address this issue at the time of this writing (late October 2025). If you encounter this error, it will most likely resolve itself soon. Alternatively, administrators can enable the Microsoft traffic forwarding profile, which will also fix this issue.

Additional Information

Microsoft Entra Private Access

Microsoft Entra Global Secure Access (GSA)

Microsoft Security Service Edge (SSE) Now Generally Available

Microsoft Entra Security Service Edge (SSE) on RunAs Radio

2 Comments
by Richard M. Hicks on October 30, 2025  •  Permalink
Posted in Entra, Entra Global Secure Access, Entra ID, Entra Internet Access, Entra Private Access, Global Secure Access, GSA, Microsoft, Microsoft Entra, Microsoft Entra Global Secure Access, Microsoft Entra ID, Microsoft Entra Internet Access, Microsoft Entra Private Access, SASE, Secure Access Service Edge, Secure Service Edge, Security, Security Service Edge, SSE, troubleshooting, Windows 10, Windows 11, Zero Trust, Zero Trust Network Access, ZTNA
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 30, 2025

https://directaccess.richardhicks.com/2025/10/30/entra-private-access-channels-are-unreachable/

« Older Posts