Global Secure Access Per App segmentation

Hi, what you're seeing is (almost) expected behavior in GSA. The Private Access forwarding profile is unique—if it's assigned to "All users," it will download all defined segments from any Quick/Private access app, regardless of group assignment. Authorization is checked only afterwards, using the token and Conditional Access. When a user tries to access an unassigned segment, the client prompts for sign-in; the app then rejects the token (AADSTS50105), and the connection fails—this is by design. The real issue is that after the deny, in versions ≤ 2.10, the client driver enters an AccessDenied state and blocks other segment access until the client is restarted. This is a known bug and was fixed starting with version 2.18.62 (preferably 2.20.56), which includes several stability improvements. Mitigations: (1) Assign the Private Access profile only to a pilot group instead of all users—those outside the group won't receive the rule file and won't even see the segments; (2) Create separate Quick/Private access apps with different group assignments. Even though all users still receive the rules, only those in the assigned group can authenticate; (3) Always deploy the latest client version (via Intune, scripts, etc.) and monitor behavior via Advanced Diagnostics. Current limitations: you cannot hide a segment from the rule file if a user isn't assigned, and you cannot create multiple Private Access profiles at once. These constraints are known and partially on the roadmap, but for now, the behavior is by design.