Strengthening secure access to Microsoft 365: Microsoft Entra Global Secure Access provides encrypted access to Microsoft 365 services such as Exchange Online and SharePoint Online through the Microsoft traffic profile. All data traffic is routed through protected network paths, ensuring reliable protection against unauthorized access.
By combining access policies with network-based security mechanisms, Global Secure Access effectively mitigates attack vectors such as token theft and replay attacks. At the same time, this architecture supports compliance with regulatory requirements and organization-specific security standards.
In this article, you will learn how to configure the Microsoft traffic profile to enforce exclusive access to Microsoft 365 services through Global Secure Access.
Prerequisites and Licensing
Licensing
The Microsoft traffic profile in Microsoft Entra Global Secure Access requires the following license:
- Microsoft Entra ID P1 or higher
An overview of Microsoft licensing plans and their associated features is available at https://m365maps.com/.
Devices
The following requirements apply to devices:
- Operating System: Windows 10, Windows 11 or Android
- iOS and MacOS: Available in preview
- Windows devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Microsoft Entra registered devices are not supported.
Roles Based on the Principle of Least Privilege
Microsoft Entra Global Secure Access can be configured and managed using the following Microsoft Entra roles.
| Role | Permission |
| Global Secure Access Administrator | Configure and manage Microsoft Entra Global Secure Access |
| Conditional Access Administrator | Configure and manage Microsoft Entra Conditional Access |
| Application Administrator | Add or remove users from traffic profiles (in combination with the Global Secure Access Administrator role) |
Microsoft Entra Global Secure Access: Configuring Traffic Forwarding
Enabling Microsoft Traffic Profile
Microsoft Entra Global Secure Access is enabled in the Microsoft Entra admin center at (https://entra.microsoft.com).
Enable the Microsoft traffic profile under Global Secure Access > Connect > Traffic forwarding.
Enable or disable Microsoft traffic policies.
By default, traffic from the following applications is included:
- Exchange Online
- Skype for Business and Microsoft Teams
- SharePoint Online and OneDrive for Business
- Microsoft 365 Common and Office Online
If needed, traffic for each application can be managed granularly. To do so, expand the desired application:
Assign Users and groups.
You can choose to assign all users (1), individual users or groups (2).
This action requires both the Global Secure Access Administrator and Application Administrator roles.
The Microsoft traffic profile is now configured.
Enable Adaptive Access
With Adaptive Access enabled, Conditional Access Signaling(CA Signaling) from Global Secure Access traffic can be processed in Microsoft Entra Conditional Access.
Navigate to Global Secure Access > Settings > Session management > Adaptive Access and enable Enable CA Signaling for Entra ID (covering all cloud apps).
Configuring Microsoft Entra Conditional Access for Microsoft 365 with Entra Global Secure Access
Conditional Access in Microsoft Entra ensures that access to Microsoft 365 services such as Exchange Online, SharePoint Online and Microsoft Teams is only possible through Global Secure Access.
Navigate to Microsoft Entra admin center (https://entra.microsoft.com) > Protection > Conditional Access > Create new policy
Assign a Name to the Microsoft Entra Conditional Access policy.
Naming conventions are outlined in the following documentation: Plan a Microsoft Entra Conditional Access deployment – Microsoft Entra ID | Microsoft Learn
Select the Users to whom this policy will apply.
Be sure to exclude emergency access accounts.
Select all Target resources that are routed through Global Secure Access as defined in the Microsoft 365 traffic profile, such as Exchange Online or Sharepoint Online.
Select Network and include Any network or location.
Also under Network, exclude All Compliant Network Locations.
Traffic routed through the Global Secure Access network is considered compliant.
If only specific device platforms, such as Windows or Android, should be included in the policy, this can be configured under Conditions > Device platforms.
Under Grant, select the option Block access.
Enable the policy by setting it to On, then select Create to save it.
The policy takes effect immediately and restricts access to the selected resources exclusively through Global Secure Access.
Deploying the Global Secure Access Client for Microsoft 365
The Global Secure Access Client, required for using the Microsoft traffic profile, is available for various operating systems. Deployment of the client software on Windows is described in the post Microsoft Entra Private Access: Onboard Client Software.
Once the Global Secure Access Client is successfully installed, the Microsoft traffic profile is connected.
Functionality Check
If access, such as to https://outlook.com attempted from a device that is not connected through Global Secure Access, the authentication process is interrupted with Error Code 53003 and the following message is displayed:
You cannot access this right now
Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app, or location that is restricted by your admin.
A comprehensive overview of AADSTS error codes and their descriptions is available here: Microsoft Entra authentication & authorization error codes – Microsoft identity platform | Microsoft Learn
If access is made through the Global Secure Access network, https://outlook.com loads as expected.
Troubleshooting
Log and diagnostic capabilities for Global Secure Access are described in more detail in the post Microsoft Entra Internet Access – Troubleshooting
Follow me on LinkedIn and Bluesky to always stay updated on my recent posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!
