Microsoft Entra Private Access BYOD: Access Internal Resources with Entra Registered Devices

Until now, access to internal resources through Microsoft Entra Private Access was limited to managed devices that were either Microsoft Entra joined or Microsoft Entra hybrid joined. With the introduction of Microsoft Entra Private Access BYOD support, this limitation has been removed. Microsoft Entra registered devices can now access internal resources through Microsoft Entra Private Access, extending secure access to scenarios beyond fully managed devices.

During the initial sign-in through the Global Secure Access Client, the device is registered in the tenant as Microsoft Entra registered and created as a corresponding device object. Microsoft Entra registered devices support Microsoft Entra Private Access, but they are not supported for Microsoft Entra Internet Access.

Microsoft Entra Private Access BYOD is currently available in Public Preview.

Table of contents hide

1 Prerequisites and Licensing

1.1 Private Access Profile

1.2 Global Secure Access Client

1.3 Licenses

1.4 Roles

2 Microsoft Entra Private Access BYOD Configuration

2.1 Traffic Forwarding Configuration

2.2 Global Secure Access Client Installation

2.3 Connect to Microsoft Entra Private Access

3 Connection Status

3.1 Global Secure Access Client

3.2 Device Registration

4 Conclusion

Prerequisites and Licensing

Private Access Profile

Access to internal resources using Microsoft Entra Private Access BYOD requires an existing Microsoft Entra Private Access configuration. A detailed step-by-step guide for setting up Microsoft Entra Private Access is available here: Microsoft Entra Private Access: Secure Access to Internal Resources and Cloud Services without VPN – cloudcoffee.ch

Global Secure Access Client

The Global Secure Access client version 2.26.108 or later is required. The installation package is available for download in the Microsoft Entra admin center (https://entra.microsoft.com) under Global Secure Access > Connect > Client download.

Microsoft Entra Private Access BYOD client download page in the Entra admin center showing Windows 10/11 download option

Licenses

No additional license is required for Microsoft Entra Private Access BYOD. The capability is included as part of Microsoft Entra Private Access and is covered under the same licensing model.

Roles

The following roles are appropriate for configuring traffic forwarding in accordance with the principle of least privilege:

Role	Permission
Global Secure Access Administrator	Configure and manage Global Secure Access
Application Administrator	Add and remove users from traffic forwarding profiles

Microsoft Entra Private Access BYOD Configuration

Traffic Forwarding Configuration

Access to internal resources using a Bring Your Own Device (BYOD) requires that the user is assigned to the Private access profile.

Microsoft Entra admin center (https://entra.microsoft.com) > Global Secure Access > Connect > Traffic forwarding > Private access profile > User and group assignments

Global Secure Access Client Installation

The device requires Global Secure Access Client version 2.26.108 or later. The installation package is available for download in the Microsoft Entra admin center (https://entra.microsoft.com) under Global Secure Access > Connect > Client download.

Microsoft Entra Private Access BYOD client download page for Windows in the Entra admin centre

Run the downloaded GlobalSecureAccessClient.exe file on the device to start the installation. The installation process is straightforward.

Microsoft Entra Private Access BYOD Global Secure Access Client installation successfully completed on Windows

Connect to Microsoft Entra Private Access

When the Global Secure Access Client is started for the first time, a sign-in prompt is displayed.
Select Sign in.

Microsoft Entra Private Access BYOD Global Secure Access client notification requesting sign in on Windows device

Enter the user credentials

Microsoft Entra Private Access BYOD user sign in window displayed during Global Secure Access authentication

When prompted with “Sign in to all apps, websites, and services on this device?”, select Yes. This action registers the device in the tenant (1).

Microsoft Entra Private Access BYOD device registration prompt asking to sign in to all apps and services

After restarting the device, Microsoft Entra Global Secure Access establishes a connected state and the device remains registered.

Connection Status

Global Secure Access Client

In the Global Secure Access Client overview, the connection type Entra registered (1), the active connection to Microsoft Entra Private Access (2) and the currently signed-in organization (3) are displayed.

Microsoft Entra Private Access BYOD connection status showing Entra registered device and private channel connected

Device Registration

When signing in with a Bring Your Own Device (BYOD) for the first time, the device is created in the tenant under the user account as Microsoft Entra registered.

Microsoft Entra admin center (https://admin.microsoft.com) > Entra ID > Users > Select user > Devices

Microsoft Entra Private Access BYOD Entra registered device listed in Entra ID user device overview

Conclusion

Microsoft Entra Private Access BYOD enables access to internal resources using Microsoft Entra registered devices. This allows BYOD scenarios to be integrated into an existing Zero Trust architecture without the need to operate separate VPN solutions. As a result, Global Secure Access gains additional flexibility and supports modern work models with secure access to internal resources.