Global Secure Access Frequently asked questions

Frequently asked questions related to Microsoft Entra Internet Access and Microsoft Entra Private Access, which are part of Global Secure Access.

Common platform questions

I received an error when trying to access a tenant I have access to.

If you have enabled universal tenant restrictions and you're accessing the Microsoft Entra admin center for one of the allow listed tenants, you may see an "Access denied" error. Add the following feature flag to the Microsoft Entra admin center:

  • ?feature.msaljs=true&exp.msaljsexp=true
  • For example, you work for Contoso and you have allow listed Fabrikam as a partner tenant. You may see the error message for the Fabrikam tenant's Microsoft Entra admin center.
  • If you received the "access denied" error message for this URL: https://entra.microsoft.com/ then add the feature flag as follows: https://entra.microsoft.com/?feature.msaljs%253Dtrue%2526exp.msaljsexp%253Dtrue#home

Does Global Secure Access allow B2B logins?

At this time, B2B logins are only supported when the user is accessing the service from a device that is Microsoft Entra joined to the tenant that matches their sign-in credentials. For example, Bob works at Fabrikam and is working on a project for Contoso. Contoso provided Bob a device and a Contoso identity, such as v-Bob@contoso.com. To access Contoso's Global Secure Access using the Contoso device, Bob can use either Bob@Fabrikam.com or v-Bob@Contoso.com. However, Bob can't use the Fabrikam device that is joined to the Fabrikam tenant to access Contoso's Global Secure Access.

Does Global Secure Access support IPv6?

At this time, IPv4 is preferred over IPv6. If you encounter issues, disable IPv6. For more information, see the Disable IPv6 section of the Install Windows client article.

Can I manage Global Secure Access with Microsoft Graph APIs?

Yes, there's a set of Microsoft Graph APIs available to manage aspects of Microsoft Entra Internet Access and Microsoft Entra Private Access. For more information about these APIs, see the article Secure access to cloud, public, and private apps using Microsoft Graph network access APIs.

Does Global Secure Access support TCP and UDP?

At this time, only TCP is supported. UDP support is under development.

Private Access

I can't access an internal resource using the hostname or FQDN when IP is configured in Quick Access.

Private DNS is currently not supported. Specify the Hostname or FQDN being used to access the internal resource in the Quick Access configuration along with the respective port.

Remote networks

I've configured my customer premises equipment (CPE) and Global Secure Access, but the two aren't connecting. I've specified the Local and Peer BGP IP addresses, but the connection isn't working.

Make sure you've reversed the BGP IP addresses between the CPE and Global Secure Access. For example, if you specified the Local BGP IP address as 1.1.1.1 and the Peer BGP IP address as 0.0.0.0 for the CPE, then you'd swap those in Global Secure Access. So the Local BGP IP address in Global Secure Access is 0.0.0.0 and the Peer GBP IP address is 1.1.1.1.