Global Secure Access apply only to platform Windows and exclude any other platform

Question

Global Secure Access apply only to platform Windows and exclude any other platform

Sergio Londono 886

Hello team,

We are implementing global Secure access in our company.

We know GSA is available in Windows with a client and in Android using defender for endpoint.
For iOS and MAC, it is in Preview.

Objective:
We would like to deploy the Global Secure Access to only Windows, Meaning that, all the windows OS must connect from Global secure access.
If Windows devices try to access the cloud resources using internet, it should be blocked.
If the connection comes from Android, iOS or MAC from internet, it should be allowed.

I am being trying to do it from conditional access policies adding:

Locations: "All compliant networks"
Platform: Include "Any platform " and exclude Windows.

User's image

the issue with this Conditional access policy is that the windows can connect either from internet or GSA agent,
If the GSA agent is disabled, the user can access the Sharepoint because the exclusion in the platform allow it.

So, the objective is force Windows use GSA.

Do you have any idea how to configure the conditional access policy to achieve it?

1 answer

Your answer

Answer 1

Raja Pothuraju 23,715 Microsoft External Staff Moderator

Hello @Sergio Londono,

Thank you for posting your query on Microsoft Q&A.

Based on your description, I understand that your main objective is to block access to cloud resources for users accessing them from any public internet/IP address, except for the GSA Internet. This should only apply target Windows device platforms.

From the screenshot you provided, it appears that you have configured conditions for the device platform and locations. In the device platform section, I noticed that you have enabled the setting to include any device platform but have excluded Windows. To properly target Windows devices with your policy, you should configure it to include only Windows devices instead of including all devices and excluding Windows.

This is the main reason why the Conditional Access (CA) policy is not applying to user sign-ins when they access it from outside GSA network.

To resolve this issue, I recommend modifying your policy to include only Windows devices in the device platform section and test the policy.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Thanks,
Raja Pothuraju.

Sergio Londono 886 Reputation points

2024-11-14T14:05:57.38+00:00

Hello @Raja Pothuraju

I will test and inform results
Sergio Londono 886 Reputation points

2024-11-14T15:50:38.72+00:00

It worked parcially,
I can access from Edge-Chrome-Mozilla: OWA, Office365, teams

However, I can't access SPO or ODfB from Edge or Chrome, but yes from mozilla.

If I disable the conditional access policy the access to SPO and ODfB is granted in Edge and Chrome and Mozilla.

So, Why I can't access M365 resources using GSA except SPO-ODfB?
I will open a ticket related it because it is not normal.

<<Removed the screenshots due to PII>>
Raja Pothuraju 23,715 Reputation points Microsoft External Staff Moderator

2024-11-15T06:22:50.07+00:00
Hello @Sergio Londono,

Thank you for quick response.

Based on your test results, it seems there is something unusual happening at the moment. I’d like to review this scenario with you offline to better understand the issue through the logs. Please send me an email at AzCommunity@microsoft.com with the subject line "Attn: Pothurajur" and include the following details in the email body:

Link to this thread/post

We can then connect offline to discuss this further.

If you’ve already raised a support ticket, please share the ticket ID so I can review it internally.

Thanks,
Raja Pothuraju.

Share via

Global Secure Access apply only to platform Windows and exclude any other platform

1 answer

Your answer