Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This document provides troubleshooting guidance for the Global Secure Access client. It explores how to resolve the Global Secure Access client - disabled by your organization error message.
| Icon | Message | Description |
|---|---|---|
|
Global Secure Access - disabled by your organization | Your organization disabled the client (that is, all traffic forwarding profiles are disabled). |
The Global Secure Access client - disabled by your organization error message appears when the Global Secure Access client is deliberately deactivated by your organization's administrator.
The warning message also appears when the client receives an empty policy (that is, no traffic forwarding profiles from Microsoft, Private Access, or Internet Access). The empty policy happens in the following cases:
- All traffic forwarding profiles are disabled in the portal.
- Some traffic forwarding profiles are enabled, but the user isn't assigned to any of them (in the User and group assignments section of each profile).
- The user didn't sign in to Windows with a Microsoft Entra user.
- Authentication to get the policy requires user interaction (such as if multifactor authentication (MFA) or terms of use (ToU) are enabled).
In cases 3 and 4, only traffic profiles that are assigned to the entire tenant (Assign to all users in the user and group assignment section is set to Yes) take effect. Traffic profiles assigned to specific users and groups aren't applied since the user identity isn't used to get the policy. In these cases, only the device identity is available to the policy service.
To view the Global Secure Access traffic profile configuration:
- Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
- Navigate to Global Secure Access > Connect > Traffic forwarding.
Troubleshooting steps
View the available traffic forwarding profiles. At least one traffic forwarding profile must be enabled. Verify that the user is assigned to the enabled traffic forwarding profile. Users in your organization who sign in to Windows with a non-Microsoft Entra ID, such as local user or Active Directory Domain Services (AD DS) user not synced to Microsoft Entra, receive only the traffic forwarding profiles assigned to all users in the tenant.
Ensure that both the device and the user are successfully authenticated to Microsoft Entra and receive a valid token.
- Check that the device is joined to Microsoft Entra and signed in to Windows with a Microsoft Entra user.
- Run the command
dsregcmd /statusand check the AzureAdPrt field.
Check if a Conditional Access policy is blocking the user. Network blocks can arise from Conditional Access settings, an unmanaged or noncompliant device, or unfulfilled MFA or ToU policies. To confirm that the Global Secure Access Client authenticated successfully to the policy service, check the list of non-interactive user sign-ins.
Note
To get the policy, the Global Secure Access client uses a non-interactive, silent authentication.
- If you assign the traffic forwarding profile to specific users and groups, ensure that users signed in to Windows are either assigned to the profile or are a direct member of an assigned group.
Note
Traffic profiles are fetched on behalf of the Microsoft Entra user logged into Windows, not the user logged into the client. Multiple users logging into the same device simultaneously isn't supported. Nested group memberships aren't supported. Each user must be a direct member of the group assigned to the profile.
- Ensure the Global Secure Access client can reach the policy service in the cloud by checking that the Policy service hostname resolved by DNS and the Policy server is reachable health check tests pass.
