Global Secure Access Frequently asked questions

Frequently asked questions related to Microsoft Entra Internet Access and Microsoft Entra Private Access, which are part of Global Secure Access.

Common platform questions

I received an error when trying to access a tenant I have access to.

If you enabled universal tenant restrictions and access the Microsoft Entra admin center for one of the allow listed tenants, you see an "Access denied" error. Add the feature flag to the Microsoft Entra admin center: ?feature.msaljs=true&exp.msaljsexp=true. For example, you work for Contoso and you have allow listed Fabrikam as a partner tenant. You see the error message for the Fabrikam tenant's Microsoft Entra admin center. If you received the "access denied" error message for this URL: https://entra.microsoft.com/ then add the feature flag as follows: https://entra.microsoft.com/?feature.msaljs%253Dtrue%2526exp.msaljsexp%253Dtrue#home

Does Global Secure Access allow B2B logins?

B2B logins are only supported when the user is accessing the service from a device that is Microsoft Entra joined. The Microsoft Entra tenant must match the users sign-in credentials. For example, a person works at Fabrikam and is working on a project for Contoso. Contoso provided the person a device and a Contoso identity, such as [email protected]. To access Contoso's Global Secure Access using the Contoso device, the person can use either [email protected] or [email protected]. However, the person can't use the Fabrikam device that is joined to the Fabrikam tenant to access Contoso's Global Secure Access.

What is the difference between Security Service Edge (SSE) and Endpoint Detection and Response (EDR) platforms?

Secure Web Gateway capabilities as part of Microsoft Entra Internet Access and other Security Service Edge (SSE) platforms deliver advanced network security value from the cloud edge for all users connecting to any application. Microsoft's SSE Solution specifically leverages deep integration with Microsoft Entra ID to bring identity and context awareness to granular network security policies. Additionally, SSE platforms provide richer controls and deeper visibility via Transport Layer Security (TLS) Inspection, allowing these platforms to inspect and enforce security policy on the packet. Endpoint Detection and Response (EDR) platforms like Microsoft Defender for Endpoint provide device aware security value for managed devices. These policies allow you to target devices or device groups, rather than user-based identity constructs. EDR platforms also provide visibility via advanced hunting capabilities. It is best to use both network and endpoint protection controls in tandem to achieve a defense in depth approach. If an EDR platform is used together with Microsoft Entra Internet Access, the EDR platform’s on-device policies will always be enforced before reaching the cloud edge, where Microsoft Entra Internet Access policies are enforced.

Does Global Secure Access support IPv6?

At this time, IPv4 is preferred over IPv6. If you encounter issues, disable IPv6. For more information, see IPv4 preferred.

Can I manage Global Secure Access with Microsoft Graph APIs?

Yes, there's a set of Microsoft Graph APIs available to manage aspects of Microsoft Entra Internet Access and Microsoft Entra Private Access. For more information about these APIs, see the article Secure access to cloud, public, and private apps using Microsoft Graph network access APIs.

Private Access

I can't access an internal resource using the hostname or Fully Qualified Domain Name (FQDN) when IP is configured in Quick Access.

Private Domain Name System (DNS) is currently not supported. Specify the Hostname or FQDN being used to access the internal resource in the Quick Access configuration along with the respective port.

Remote networks

I configure my customer premises equipment (CPE) and Global Secure Access, but the two aren't connecting. I specify the Local and Peer Border Gateway Protocol (BGP) IP addresses, but the connection isn't working.

Make sure you reverse the BGP IP addresses between the CPE and Global Secure Access. For example, if you specified the Local BGP IP address as 1.1.1.1 and the Peer BGP IP address as 0.0.0.0 for the CPE, then swap the values in Global Secure Access. So the Local BGP IP address in Global Secure Access is 0.0.0.0 and the Peer GBP IP address is 1.1.1.1.

Internet Access

What is the difference between Microsoft Entra Internet Access web categories and Microsoft Defender for Endpoint web categories?

Microsoft Entra Internet Access and Microsoft Defender for Endpoint both leverage similar categorization engines, with a few distinct differences. The Microsoft Entra Internet Access engine aims to provide a valid categorization of every endpoint on the internet, while Microsoft Defender for Endpoint supports a smaller list of site categories, focused on categories of sites that could introduce liability for the organization that operates the endpoint. This means that many sites are not categorized, and an organization wishing to allow or deny access must manually create a Network Indicator for the site.