![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 31%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Microsoft Entra Private Access
Microsoft Entra Private Access provides secure and deep identity-aware, Zero Trust network access to all private apps and resources.
116 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello @Vitor Santos,
Based on your issue description, I understand that after adding few members of your IT team to use Global Secure Access, they are getting the errors on their devices stating that “Disabled by your organization.” In the Health Check section under Advanced Diagnostics, the error “Breakglass mode is enabled” appeared.
Break-glass mode disabled
Break-glass mode prevents the Global Secure Access client from tunneling network traffic to the Global Secure Access cloud service. In Break-glass mode, all traffic profiles in the Global Secure Access portal are unchecked and the Global Secure Access client isn't expected to tunnel any traffic.
To set the client to acquire traffic and tunnel that traffic to the Global Secure Access service:
- Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
- Navigate to Global Secure Access > Connect > Traffic forwarding.
- Enable at least one of the traffic profiles that match your organization's needs.
The Global Secure Access client should receive the updated forwarding profile within one hour after you make changes in the portal.
Reference document: Troubleshoot the Global Secure Access client: Health check - Global Secure Access
The Global Secure Access client - disabled by your organization error message appears when the Global Secure Access client is deliberately deactivated by your organization's administrator. 
The warning message also appears when the client receives an empty policy (that is, no traffic forwarding profiles from Microsoft, Private Access, or Internet Access). The empty policy happens in the following cases:
- All traffic forwarding profiles are disabled in the portal.
- Some traffic forwarding profiles are enabled, but the user isn't assigned to any of them (in the User and group assignments section of each profile).
- The user didn't sign in to Windows with a Microsoft Entra user.
- Authentication to get the policy requires user interaction (such as if multifactor authentication (MFA) or terms of use (ToU) are enabled).
In cases 3 and 4, only traffic profiles that are assigned to the entire tenant (Assign to all users in the user and group assignment section is set to Yes) take effect. Traffic profiles assigned to specific users and groups aren't applied since the user identity isn't used to get the policy. In these cases, only the device identity is available to the policy service.
To view the Global Secure Access traffic profile configuration:
- Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
- Navigate to Global Secure Access > Connect > Traffic forwarding.
Troubleshooting steps
- View the available traffic forwarding profiles. At least one traffic forwarding profile must be enabled. Verify that the user is assigned to the enabled traffic forwarding profile. Users in your organization who sign in to Windows with a non-Microsoft Entra ID, such as local user or Active Directory Domain Services (AD DS) user not synced to Microsoft Entra, receive only the traffic forwarding profiles assigned to all users in the tenant.
2. Ensure that both the device and the user are successfully authenticated to Microsoft Entra and receive a valid token.
- Check that the device is joined to Microsoft Entra and signed in to Windows with a Microsoft Entra user.
- Run the command
dsregcmd /statusand check the AzureAdPrt field.
- Check if a conditional access policy is blocking the user. Network blocks can arise from conditional access settings, an unmanaged or noncompliant device, or unfulfilled MFA or ToU policies. To confirm that the Global Secure Access Client authenticated successfully to the policy service, check the list of non-interactive user sign-ins.
Please refer to the below document to check few more troubleshooting steps to know whether every settings is properly configured.
Troubleshoot the Global Secure Access Client: Disabled by Your Organization - Global Secure Access
I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".