Forum Discussion
Entra ID Private Access - data flow
Hello,
I am successfully testing Entra Private Access. From outside, I can easily access my shared permissions.
However, I have one more question. What happens if I my device on the internal network? If I access the shares directly, I get about 1GB/s. What happens if the "Global Secure Access" client is active? Do all the data go through the Entra portal, or just the authentication? If all the data go through the Entra portal, there could be challenges with the internet connection (all data in and out).
Thank you for your support
Stefan
2 Replies
Hi Stefan, great question about data flow in Microsoft Entra Private Access (part of Global Secure Access).
The behavior depends on traffic forwarding policies and the device location it does not work as a full tunnel VPN by default, but rather uses granular, policy-based routing to optimize performance.
How traffic is evaluated
The Global Secure Access client evaluates traffic sequentially: first Microsoft endpoints (such as Entra ID and Graph), then Private Access resources (via connector), and finally Internet traffic.
If there is no policy match, the traffic stays local (split tunnel). This explains why, when you are inside the internal network, accessing file shares can reach high speeds (~1GB/s) without going through the internet.
Authentication and authorization are always handled by Microsoft Entra ID, but data traffic only goes through the service (via connectors) when it matches a configured Private Access rule (FQDN/IP or specific application).
Practical scenarios
- Internal network without policy match
Traffic flows directly (local routing), without using the connector or internet. - Policy match (Private Access)
Traffic is routed through the connector, requiring outbound internet connectivity and potentially adding latency.
In this case, it is important to properly configure Quick Access with the relevant FQDNs/IPs. - Optional full tunnel
Full tunneling can be enabled via profiles to force all traffic through the service, but this is generally not recommended due to performance impact.
Troubleshooting and validation
- Check in the Entra portal:
Global Secure Access → Traffic forwarding → Profiles (Private Access) to confirm the resource is included - Review logs under:
Monitor → Traffic logs to validate actual routing behavior - Verify connector health under:
Connectors → Status - Review Conditional Access policies applied to the application
If the issue persists, it would help to share the client/connector version, the application FQDN, and relevant logs for deeper analysis.
Microsoft Learn: https://learn.microsoft.com/en-us/entra/global-secure-access/concept-connectors
Microsoft Learn: https://learn.microsoft.com/en-us/entra/global-secure-access/reference-current-known-limitations?tabs=windows-client- Internal network without policy match
You can configure Intelligent Local Access (ILA) for Entra Private Access to allow the GSA client to route traffic locally for endpoints on the internal network. However, in this scenario, the GSA client still performs authentication/authorization, so you maintain control of the authentication path and can still enforce a conditional access policy for access to the resources. Details here:
https://directaccess.richardhicks.com/2025/12/01/entra-private-access-intelligent-local-access/
