Intelligent Local Access in Microsoft Entra Global Secure Access

Intelligent Local Access (ILA) addresses a core limitation of Microsoft Entra Global Secure Access: ensuring that local network traffic is handled locally. By default, Microsoft Entra Global Secure Access forwards traffic based on configured traffic forwarding profiles through the cloud-based Security Service Edge (SSE), even when the destination resides within the local network. This approach guarantees that security policies and access controls are enforced consistently at all times. As a result, local resources such as file shares or applications are routed through the cloud-based Security Service Edge (SSE), despite a direct local connection being available. The extended network path introduces additional latency and negatively impacts overall access performance.

Intelligent Local Access (ILA) changes this behavior by dynamically determining the network path. The Global Secure Access Client detects whether the destination is located within the local network and, in that case, forwards the traffic directly without routing it through the cloud-based Security Service Edge (SSE). The Global Secure Access Client remains active, allowing Microsoft Entra ID to continue evaluating identity, device status and policies. If the destination is outside the local network, access continues to be handled via Microsoft Entra Global Secure Access in accordance with the defined traffic forwarding profiles.

This article demonstrates the implementation of Intelligent Local Access in Microsoft Entra Global Secure Access. The configuration of Private Networks is illustrated using an example that provides access to a Remote Desktop Session Host (RDSH). At the time this article was written, Private Networks are available as a public preview. The approach shown can be applied to additional local resources.

Prerequisites and Licensing

Private Access Profile

Intelligent Local Access is used in scenarios where Microsoft Entra Private Access is deployed. Accordingly, a configured Private Access traffic forwarding profile in Microsoft Entra Global Secure Access is required to define resources via Private Networks. A complete guide to setting up Microsoft Entra Private Access can be found here:
Microsoft Entra Private Access: Secure Access to Internal Resources and Cloud Services without VPN – cloudcoffee.ch

Licensing

No additional license is required for Intelligent Local Access (ILA). The feature is part of Microsoft Entra Global Secure Access and is used in conjunction with Microsoft Entra Private Access.

Roles

To configure Intelligent Local Access (ILA), the following role is appropriate according to the principle of least privilege:

Role	Permission
Global Secure Access Administrator	Configure and manage Global Secure Access

Enable Intelligent Local Access

Before Intelligent Local Access (ILA) can be used, Microsoft Entra Global Secure Access must determine whether the access destination is located within the local network. This detection is based on DNS name resolution and the resulting IP address. If a DNS server defined for the Private Network resolves the destination address and the IP address falls within the configured IP address definition, Microsoft Entra Global Secure Access identifies the destination as local. In this case, the service forwards the traffic directly to the destination and bypasses the cloud-based Security Service Edge (SSE), while the Global Secure Access Client remains active and Microsoft Entra ID continues to enforce identity and policy evaluation.

Intelligent Local Access (ILA) requires the configuration of Private Networks in the Microsoft Entra admin center.

Microsoft Entra admin center (https://entra.microsoft.com) > Global Secure Access > Connect > Private Networks > Add Private network

Configure the Private Network as follows:

1. Display name of the network, for example: int.cloudcoffee.ch
2. DNS servers used for name resolution, for example: 192.168.125.21
3. Fully qualified domain name (FQDN) to be resolved, for example: cclvsrts001.int.cloudcoffee.ch
4. IP address type to be evaluated, choose between IP address or IP address range (CIDR or IP-to-IP)
5. Expected value from the IP address resolution, for example: 192.168.125.23
6. Enterprise applications that are accessible via this Private Network, for example: CCLVSRTS001-RDP

Complete the Private Network configuration by selecting Create (7).

The Private Network is now available.

Microsoft Entra Global Secure Access is now able to identify local resources and route traffic directly to the destination, bypassing the cloud-based Security Service Edge (SSE).

Verify Data Flow on the Client

The data flow can be traced using the advanced diagnostics in the Global Secure Access Client. In this example, the traffic for a Remote Desktop connection to the server cclvsrts001.int.cloudcoffee.ch is analyzed.

Global Secure Access Client > Troubleshooting > Collect advanced logs

On the Traffic (1) tab, configure the filter (2) as follows:

• Destination FQDN == cclvsrts001.int.cloudcoffee.ch
• Destination Port == 3389

Start capturing the traffic by selecting Start collecting (3).

When the connection is established, the data traffic is shown to flow directly to the server.

1. Channel = Private Access
2. Connection status = Bypassed
3. Action = Local

If the same connection is not handled via Intelligent Local Access, it appears as follows in the traffic capture.

1. Channel = Private Access
2. Connection status = Active
3. Action = Tunnel

Conclusion

Intelligent Local Access (ILA) extends Microsoft Entra Global Secure Access with a targeted optimization for local access scenarios. Local resources remain accessible locally without compromising the consistent enforcement of identity, device status and policies by Microsoft Entra ID. Unnecessary routing through the Security Service Edge is avoided, latency is reduced and the overall user experience is improved.