Global Secure Access + Conditional Access Require GSA = Android Blocked

Question

Global Secure Access + Conditional Access Require GSA = Android Blocked

Jordan Musson 0

In my tenant I am using Global Secure Access Version 2.26.108 with Microsoft Traffic profile for a limited number of users for testing. Conditional Access Signalling for Microsoft Entra ID is enabled. The moment I apply a Conditional Access policy which blocks access to all recourses on all device platforms excluding All Compliant Network Locations, Microsoft Intune, Microsoft Intune Enrollment, MicrosoftDefenderATP XPlat and Microsoft Defender for Mobile TVM apps. My Android device is then blocked from accessing Microsoft resources. The Android device is compliant, and I am using the work profile apps. Sign in logs show it is the CA policy blocking sign in requests. Windows and iOS devices work perfectly fine.

User's image

Rukmini 40,485 Reputation points Microsoft External Staff Moderator

2026-04-16T06:03:24.4966667+00:00
Hey Jordan, it looks like the reason your Android device is being blocked is because its sign-in traffic isn’t actually coming through your Global Secure Access (GSA) tunnel, so it never shows up as a “Compliant Network location” and your CA policy still applies and blocks it. Windows (with the GSA client) and iOS (with the per-app VPN tunnel) both forward traffic into the GSA network, so those devices automatically get the CA exclusion you’ve set. On Android, however, you need to explicitly configure a per-app VPN (or managed app tunnel) in Intune and enable GSA in your managed apps so that the app traffic is routed through your Microsoft traffic profile.

Here’s how you can unblock your Android devices:

Create & assign an Android Enterprise per-app VPN profile • In Intune, go to Devices > Configuration profiles > Create profile. • Platform = Android Enterprise, Profile = VPN (per-app tunnel). • Point the tunnel at your Microsoft traffic forwarding profile (the one you’ve already enabled). • Assign that VPN profile to your work-profile apps (Defender for Endpoint, Intune, etc.).

Configure Managed App Configuration for Defender for Endpoint Under the app’s Properties in Intune, add or update these keys: • GlobalSecureAccessPrivateChannel = 1 (integer)
(This ensures Defender uses the private channel over GSA.)
• GlobalSecureAccess = 3 (integer)
(If you want both internet + private channels; 2 alone only does private.)
• LowTouchOnboarding = 1 (optional, for smoother onboarding) • EnableNetworkProtectionInMicrosoftDefender = 1

Validate the tunnel on Android • Launch Defender (or whichever managed app) in the work profile. • Verify you see the Intune per-app VPN status (connected) in Android Settings > VPN. • On the Intune portal, check in Global Secure Access > Advanced diagnostics > Traffic that the FQDNs are being “Tunnel”-led.

Once traffic is flowing through your Microsoft Traffic Profile, sign-ins from Android will be recognized as coming from your compliant GSA network and your “Exclude: All Compliant Network locations” setting will kick in, so those devices won’t get blocked by the policy anymore.

Let me know if you’re not seeing the per-app VPN connect on Android, or if you need help tweaking the managed app config!

Reference docs

Configure Conditional Access on GSA traffic profiles: https://learn.microsoft.com/azure/global-secure-access/how-to-target-resource-microsoft-365-profile#create-a-conditional-access-policy-targeting-the-microsoft-365-traffic-profile

Enable GSA signaling in Conditional Access: https://learn.microsoft.com/entra/global-secure-access/how-to-source-ip-restoration?tabs=configuration#enable-conditional-access-signaling

Protect resources behind a compliant network: https://learn.microsoft.com/entra/global-secure-access/how-to-compliant-network

Troubleshoot the GSA client (for Windows, same principles apply to per-app VPN on mobile): https://learn.microsoft.com/entra/global-secure-access/troubleshoot-global-secure-access-client-diagnostics-health-check

Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.
Rukmini 40,485 Reputation points Microsoft External Staff Moderator

2026-04-17T01:47:22.8066667+00:00

Jordan Musson Following up to see if the above provided information was helpful. If you have any further queries do let us know.
Jordan Musson 0 Reputation points

2026-04-17T07:03:10.22+00:00

Hi Rukmini,

Thank you for you're detailed write up. Apologies for the delayed response, I am currently in between projects at the moment. Before I give this a go, we are only using the Microsoft traffic profile as we do not have the licensing for Private access or Internet access. Would these be required for your suggestions to work?

1 answer

Your answer

Rukmini 40,485 Reputation points Microsoft External Staff Moderator

2026-04-17T01:47:22.8066667+00:00

Jordan Musson Following up to see if the above provided information was helpful. If you have any further queries do let us know.
Jordan Musson 0 Reputation points

2026-04-17T07:03:10.22+00:00

Hi Rukmini,

Thank you for you're detailed write up. Apologies for the delayed response, I am currently in between projects at the moment. Before I give this a go, we are only using the Microsoft traffic profile as we do not have the licensing for Private access or Internet access. Would these be required for your suggestions to work?

Answer 1

Rukmini 40,485 Microsoft External Staff Moderator

Jordan Musson This behavior is expected.

Android traffic is not routed through GSA while using merely the Global Secure Access Microsoft traffic profile, hence Microsoft Entra ID Conditional Access does not identify it as a "Compliant Network location." Therefore, even if the device is compatible, your CA policy prohibits Android sign-ins.

Hence to resolve the issue,

Use “Require compliant device” instead of “Compliant network”, or
Exclude Android from the CA policy, or
Enable GSA Internet Access / Private Access (required for Android tunneling support)

Let me know if any further queries - feel free to reach out!

If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know.

Jordan Musson 0 Reputation points

2026-04-17T07:27:57.5733333+00:00

Ah thank you. I will exclude android from the CA policy. You just saved me a lot of unnecessary trial and error as I was trying to get GSA to work on Android without upgrading our licence.
Rukmini 40,485 Reputation points Microsoft External Staff Moderator

2026-04-17T07:29:21.3833333+00:00

Jordan Musson If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

Global Secure Access + Conditional Access Require GSA = Android Blocked

1 answer

Your answer