Forum Discussion
Global Secure Access Per App segmentation
Hi,
We are running a POC with Global Secure access and have the following situation.
We have defined a traffic forwarding profile for Private Access and a Quick Access policy to allow access to certain applications.
I have now create a seperate enterprise application and assigned it a different group then the quick access policy.
for example an RDP/http to specific server.
The following seem to be happening. When I check the private access rules on the GSA clients they are receiving all rules quick access + enterprise application rules even if they don't have a group assignment in the application segment. (default behaviour i am guessing)
When a users defined in quick access only attempts to access the enterprise application het get's a prompt on his GSA client action required please sign in , when i then signs in he get's access denied message as expected. However he also get denied to the other quick access segment. To resolve this again i have to enable disable the client.
Is this normal behaviour and is there a way around this? Can we for example not include the enteprise application in the private access rule if the group is not assigned.
Any help would be appreciated.
1 Reply
Hi, what you're seeing is (almost) expected behavior in GSA. The Private Access forwarding profile is unique—if it's assigned to "All users," it will download all defined segments from any Quick/Private access app, regardless of group assignment. Authorization is checked only afterwards, using the token and Conditional Access. When a user tries to access an unassigned segment, the client prompts for sign-in; the app then rejects the token (AADSTS50105), and the connection fails—this is by design. The real issue is that after the deny, in versions ≤ 2.10, the client driver enters an AccessDenied state and blocks other segment access until the client is restarted. This is a known bug and was fixed starting with version 2.18.62 (preferably 2.20.56), which includes several stability improvements. Mitigations: (1) Assign the Private Access profile only to a pilot group instead of all users—those outside the group won't receive the rule file and won't even see the segments; (2) Create separate Quick/Private access apps with different group assignments. Even though all users still receive the rules, only those in the assigned group can authenticate; (3) Always deploy the latest client version (via Intune, scripts, etc.) and monitor behavior via Advanced Diagnostics. Current limitations: you cannot hide a segment from the rule file if a user isn't assigned, and you cannot create multiple Private Access profiles at once. These constraints are known and partially on the roadmap, but for now, the behavior is by design.
