Entra Private Access: Location awareness- GSA Client

Hi, as of may 2025, the global secure access (gsa) client always tunnels traffic to the cloud service if there’s a forwarding profile that matches, even when the device is on the corporate lan. there’s no native “trusted network detection” yet to auto-disable the tunnel. microsoft’s docs only mention two manual options: disable the entire client, or just disable private access.

this behavior is confirmed by multiple microsoft q&a threads from recent months. product engineers suggest workarounds like bypass rules or intune scripts, but there’s still no ga feature for auto-bypass.

microsoft announced “intelligent local access” back in 2023: the idea is for the client to detect when it’s on a trusted network and skip tunneling, while still enforcing conditional access. but it’s not available yet—no public preview, and nothing in the 2.18 client release notes. insiders say the first internal builds are being tested, but no ga date has been announced.

in the meantime, you can work around this with options like:
– intune script that disables private access if a known dns/ip is reachable
– enable the manual “disable private access” button in the tray via registry
– custom bypass in your forwarding profile (if licensed)
– split tunnel setup using legacy vpn inside the lan and gsa outside

Stay on the latest client, use the workaround that fits your setup, and monitor the “what’s new in entra” channel. if you want to push microsoft, vote on feedback portal or file a support case referencing internal feature id 148970.