Configure customer premises equipment for Global Secure Access (preview)

IPSec tunnel is a bidirectional communication. One side of the communication is established when adding a device link to a remote network in Global Secure Access (preview). During that process, you enter your public IP address and BGP addresses in the Microsoft Entra admin center to tell us about your network configurations.

This article provides the steps to set up the other side of the communication channel.


To configure your customer premises equipment (CPE), you must have:

  • A Global Secure Access Administrator role in Microsoft Entra ID.
  • The preview requires a Microsoft Entra ID P1 license. If needed, you can purchase licenses or get trial licenses.
  • To configure your CPE, you must have completed the Global Secure Access onboarding process.

How to configure your customer premises equipment

You can set up the CPE using the Microsoft Entra admin center or using the Microsoft Graph API. When you create a remote network and add your device link information, configuration details are generated. These details are needed to configure your CPE.

  1. Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.

  2. Browse to Global Secure Access > Devices > Remote network.

  3. Select View configuration for the remote network you need to configure.

    Screenshot of the configuration details with the Microsoft information highlighted.

  4. Locate and save Microsoft's public IP address endpoint from the panel that opens.

    Screenshot of the view configuration details panel.

  5. In the preferred interface for your CPE, enter the IP address you saved in the previous step. This step completes the IPSec tunnel configuration.

The following diagram highlights each of the major sections of the device configuration details. Text descriptions of each section follow the diagram.

Diagram of the configuration details with each section highlighted.

  • The branchId and branchName represent the remote network details.
  • The displayName is the device link name.
  • The endpoint, asn, bdpAddress, and region represent the Microsoft connectivity details. Enter these details on your CPE.
  • For zone redundant device links, a second set of details are generated.
  • PeerConfiguration and the subsequent details represent the CPE connectivity details.
  • If you've configured more devices, their details follow.


The crypto profile you specified for the device link should match with what you specify on your CPE. If you chose the "default" IKE policy when configuring the device link, use the configurations described in the Remote network configurations article.

Terms of Use

Your use of the Microsoft Entra Private Access and Microsoft Entra Internet Access preview experiences and features is governed by the preview online service terms and conditions of the agreement(s) under which you obtained the services. Previews may be subject to reduced or different security, compliance, and privacy commitments, as further explained in the Universal License Terms for Online Services and the Microsoft Products and Services Data Protection Addendum (“DPA”), and any other notices provided with the Preview.

Next steps