Forum Discussion

Stefan31's avatar
Stefan31
Copper Contributor
Mar 24, 2026

Entra ID Private Access - data flow

Hello, I am successfully testing Entra Private Access. From outside, I can easily access my shared permissions. However, I have one more question. What happens if I my device on the internal networ...
Access Management
microsoft entra
Josimar-Hedler's avatar
Josimar-Hedler
MCT
Mar 26, 2026

Stefan31​ 

Hi Stefan, great question about data flow in Microsoft Entra Private Access (part of Global Secure Access).

The behavior depends on traffic forwarding policies and the device location it does not work as a full tunnel VPN by default, but rather uses granular, policy-based routing to optimize performance.

How traffic is evaluated

The Global Secure Access client evaluates traffic sequentially: first Microsoft endpoints (such as Entra ID and Graph), then Private Access resources (via connector), and finally Internet traffic.

If there is no policy match, the traffic stays local (split tunnel). This explains why, when you are inside the internal network, accessing file shares can reach high speeds (~1GB/s) without going through the internet.

Authentication and authorization are always handled by Microsoft Entra ID, but data traffic only goes through the service (via connectors) when it matches a configured Private Access rule (FQDN/IP or specific application).

Practical scenarios

  • Internal network without policy match
    Traffic flows directly (local routing), without using the connector or internet.
  • Policy match (Private Access)
    Traffic is routed through the connector, requiring outbound internet connectivity and potentially adding latency.
    In this case, it is important to properly configure Quick Access with the relevant FQDNs/IPs.
  • Optional full tunnel
    Full tunneling can be enabled via profiles to force all traffic through the service, but this is generally not recommended due to performance impact.

Troubleshooting and validation

  • Check in the Entra portal:
    Global Secure Access → Traffic forwarding → Profiles (Private Access) to confirm the resource is included
  • Review logs under:
    Monitor → Traffic logs to validate actual routing behavior
  • Verify connector health under:
    Connectors → Status
  • Review Conditional Access policies applied to the application

If the issue persists, it would help to share the client/connector version, the application FQDN, and relevant logs for deeper analysis.

Microsoft Learn: https://learn.microsoft.com/en-us/entra/global-secure-access/concept-connectors
Microsoft Learn: https://learn.microsoft.com/en-us/entra/global-secure-access/reference-current-known-limitations?tabs=windows-client