This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 24%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hello,
We have Global Secure Access deployed and connected on every user's computer. It is working well for all Microsoft services. We are having issues logging into a 3rd-party browser based app. The app is GReminders which connects to and syncs the users Exchange calendar. Then a client can go in and see the employees calednar to schedule a meeting with them. The user is having is constantly resync their calendar and it is being disconnected from our GSA Conditional Access policy. Upon checking the sign-on logs for the GReminders app in Entra, I can see that the CA policy which blocks access from non-compliant (non GSA networks) is causing the issue.
The GReminders app is registered in Entra and excluded from the CA policy.
I tried to work around this by enabling the Internet Access traffic profile, hoping that when the user logs into GReminders in the browser, it will use the Internet Access profile to mark it as a compliant network through GSA. However, this does not seem to be the case. The sign-in logs of the GReminders app show the login coming from the public IP address of my office, not through GSA. If I look at a sign-on log for Outlook or Sharepoint for example, it shows through GSA: yes. I know the Internet Traffic profile is working properly as I setup web content filtering and that is working. I can also see the traffic logs.
The root issue here is that browser authentication through a 3rd party app is not going through GSA, even with the Internet Traffic Profile enabled.
How can I get GReminders (a browser based 3rd party app) to work go through the GSA compliant network?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 74%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Hello @Techsupport ,
Based on your description I understand that GSA is working fine for Microsoft apps and services, CA policies are also working as expected and the setup is working fine except for GReminders app which is a browser based third party app which uses browser based authentication.
It looks like the browser based authentication traffic for GReminders is not being routed via GSA’s Internet Access profile, even when enabled. This may happen if the GSA is not able to intercept the APIs being used by this app and the authentication communication is happening directly between the Microsoft Identity and this app.
You can try to force the authentication endpoints to pass through GSA Internet Access profile for the browser traffic. Modify the GSA Internet Access profile to explicitly route those domains, endpoints like login.microsoftonline.com, secure.aadcdn.microsoftonline-p.com, aadcdn.msftauth.net or anything else which is configured for the login of GReminders.
Hello,
Thank you for the comment. I would make sense that I need to explicitly route those domains through GSA Internet access profile. Where would I set this up within the GSA configuration? I do not see anything that allows me to define specific domains to use the traffic profile, only to bypass the traffic profile
Hello @Techsupport,
Following up to check if the provided information was helpful. If you have any further questions or queries, please do let us know.
Hello @Techsupport,
Following up to check if the provided information was helpful. If you have any further questions or queries, please do let us know.
Hello @Techsupport,
Following up to check if the provided information was helpful. If you have any further questions or queries, please do let us know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 77%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hello @Techsupport,
Following up to see whether the answer provided by Jyotishree Moharana, is helpful?.
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
Hello @Techsupport, We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
That is correct in Internet Access profile normally the bypass policies are allowed and take precedence. In this scenario we would need to check if in the Bypass policies these endpoints are being bypassed or not. Only define the endpoints which you want to be bypassed and whose traffic you don't want to acquire.
First analyze the traffic when GReminders is accessed, keep note of the endpoints and the ports and then it would be required to cross check if they have defined to be bypassed.
Whether the traffic will be captured or not depends on what is defined in the default Internet Access policies i.e. in Custom Bypass, Default bypass and default acquire. Default acquire takes lowest precedence after all bypass rules are evaluated.
Traffic is evaluated from top to bottom, which means it only gets acquired by the Internet traffic profile if it’s not being bypassed in one of the bypass rules.
The changes made in Internet Access profile should be in harmony with Microsoft traffic profile. When you enable the Internet Access forwarding profile, you should also enable the Microsoft traffic forwarding profile for optimal routing of Microsoft traffic. You enable the Microsoft traffic profile by selecting the profile checkbox on the same page where you enable the Internet Access traffic forwarding profile.
When a rule is set to Bypass in the Microsoft traffic profile, the Internet Access traffic profile will not acquire this traffic. Even with the Internet Access profile enabled, the bypassed traffic will skip Global Secure Access acquisition and use that client's network routing path to egress to the Internet. Traffic available for acquisition in the Microsoft traffic profile can be only acquired in the Microsoft traffic profile.
So, if we're requiring any traffic to be acquired in Internet access then it should not be set to bypass in Microsoft traffic profile.
Hello,
This helped and answered my question. Everything is working now. Thank you!