![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 87%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECR%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra Private Access
Providing secure, identity-based access to private apps and resources without traditional VPNs
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 78%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
Forwarding Profile Misconfiguration
- The GSA client relies on a valid forwarding profile to route traffic. If the profile is outdated or malformed, tunneling may fail.
- Fix: Delete these registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Global Secure Access Client\ForwardingProfile HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Global Secure Access Client\ForwardingProfileTimestamp
- Then restart the Global Secure Access Policy Retriever Service and the GSA client.
Break-Glass Mode Enabled
- If Break-glass mode is active, the client won’t tunnel traffic.
- Fix: Go to Microsoft Entra Admin Center → Global Secure Access → Connect → Traffic forwarding, and enable at least one traffic profile
Azure AD Group or Conditional Access Misalignment
- Users not assigned to the correct Azure AD group or blocked by Conditional Access policies may fail to tunnel.
- Fix: Ensure affected users are in the correct group and their devices are compliant in Intune. Check Conditional Access policies
Client Version or OS Settings
- Older versions or unsupported configurations (e.g., IPv6, DNS over HTTPS) can cause tunneling failures.
- Fix: Upgrade to the latest GSA client version. Disable IPv6 and Secure DNS as per https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client#disable-ipv6-and-secure-dns
Network Threat Protection Conflicts
- Some endpoint protection tools (e.g., Sophos) may block GSA traffic.
- Fix: Temporarily disable Network Threat Protection or whitelist GSA traffic
Diagnostic Steps
- Run the GSA Health Check from the system tray icon.
- Check Event Viewer logs for disconnection errors.
- Use the Advanced Diagnostics tab to inspect the forwarding profile and tunnel status