Skip to content

Add B2B Guest Access specification for Private Apps in Global Secure Access #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Copilot wants to merge 7 commits into
base: main
Choose a base branch
from
Draft

Add B2B Guest Access specification for Private Apps in Global Secure Access #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6bd7ad3
feat: Add Network pillar specs for Global Secure Access and Universal…
tdetzner Nov 25, 2025
6e66f4f
feat: Implement PowerShell check logic for Network pillar tests 30111…
tdetzner Nov 25, 2025
51b58c6
fix: Remove trailing whitespace in 30112.md
tdetzner Nov 25, 2025
e579d15
Merge branch 'microsoft:main' into main
tdetzner Dec 3, 2025
039a33c
Initial plan
Copilot Jan 25, 2026
5d789bc
Create B2B Guest Access spec for Private Apps (30113.md)
Copilot Jan 25, 2026
15774c4
Fix Query 1 endpoint to remove unnecessary branchId parameter
Copilot Jan 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
153 changes: 153 additions & 0 deletions spec/network/30111.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
# Global Secure Access is enabled

## Spec Status

Draft

## Documentation Status

Not started

## Dev Status

Not started

## Minimum License

AAD_PREMIUM_P1, Entra_Premium_Internet_Access, Entra_Premium_Private_Access

## Pillar

Network

## SFI Pillar

Protect networks

## Category

Zero Trust Network Access (ZTNA)

## Risk Level

High

## User Impact

Medium

## Implementation Cost

Medium

## Customer Facing Explanation

Global Secure Access is Microsoft's Security Service Edge (SSE) solution that provides Zero Trust network access for remote users and branch offices. It encompasses Microsoft Entra Internet Access and Microsoft Entra Private Access, replacing traditional VPNs with identity-aware, cloud-delivered security controls.

Without Global Secure Access enabled, organizations rely on legacy perimeter-based VPN solutions that grant implicit trust to any user on the corporate network. Threat actors who compromise a user's credentials can laterally move across the network because traditional VPNs provide broad network access rather than per-application, identity-driven access. This flat-network approach exposes all internal resources to authorized users indiscriminately, eliminating segmentation boundaries. Attackers can maintain persistence by establishing secondary access channels through the VPN tunnel without additional authentication. Once inside a poorly segmented VPN network, attackers can enumerate and attack internal systems freely. By transitioning to Global Secure Access with identity-based, per-application access controls and continuous validation, organizations enforce Zero Trust principles—users and devices are never implicitly trusted, and access is continuously verified based on user, device, location, and risk signals.

Risk Level: High - Organizations without Global Secure Access enabled depend on legacy VPN models that lack identity-aware controls and enable lateral movement across the network.

User Impact: Medium - Users must install the Global Secure Access client and may require re-authentication; some dependent on VPNs may experience workflow changes during migration.

Implementation Cost: Medium - Requires deploying the Global Secure Access client, configuring forwarding profiles, and potentially integrating with Conditional Access policies. Ongoing management of traffic policies is required.

## Check Query

The assessment checks whether Global Secure Access is configured and actively enabled in the tenant. This check validates that traffic forwarding profiles (Microsoft traffic, Internet access, or Private access) are configured and enabled.

### Query 1: Q1: Validate Global Secure Access traffic forwarding profiles are configured

**Endpoint:** `https://graph.microsoft.com/beta/networkAccess/forwardingProfiles`

**Documentation:** [Global Secure Access traffic forwarding profiles](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-traffic-forwarding)

**Property Check:** The presence of forwarding profile objects with status indicating configuration

**Pass Criteria:** At least one traffic forwarding profile (Microsoft traffic, Internet access, or Private access profile) exists and is configured in the tenant

**Fail Criteria:** No forwarding profiles are found, or all existing profiles are in an unconfigured/disabled state

**Details:** Global Secure Access is enabled when at least one of the three traffic forwarding profiles is configured:
- Microsoft traffic profile (for Microsoft 365 and Microsoft Graph traffic)
- Internet access profile (for public internet and SaaS app traffic)
- Private access profile (for private corporate resources and legacy apps)

If a tenant has no forwarding profiles configured, Global Secure Access is not in use.

### Query 2: Q2: Validate that traffic forwarding profiles have assigned users or remote networks

**Endpoint:** `https://graph.microsoft.com/beta/networkAccess/forwardingProfiles/{id}/users` and `https://graph.microsoft.com/beta/networkAccess/forwardingProfiles/{id}/remoteNetworks`

**Documentation:** [Global Secure Access dashboard](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-global-secure-access-logs-monitoring#dashboard)

**Property Check:** User assignments or remote network assignments to forwarding profiles

**Pass Criteria:** At least one forwarding profile (Q1) has active user assignments or remote network assignments, indicating the feature is in active use

**Fail Criteria:** Forwarding profiles exist but have no user or remote network assignments, indicating configuration without deployment

**Details:** A configured forwarding profile is only meaningful if it has users or remote networks assigned to it. This query validates that the configuration is not just present but also actively deployed.

## User facing message

Pass: Global Secure Access is enabled with traffic forwarding profiles configured and actively assigned to users or remote networks.

Fail: Global Secure Access is not enabled, or forwarding profiles are configured without active user or remote network assignments.

Investigate: Global Secure Access has forwarding profiles configured but without users or remote networks assigned, indicating incomplete deployment.

## Test evaluation logic

1. Execute Query 1 (Q1): Retrieve all forwarding profiles in the tenant
2. If no forwarding profiles are found, test result is **Fail**
3. If forwarding profiles are found, execute Query 2 for each profile
4. If any forwarding profile has user assignments or remote network assignments, test result is **Pass**
5. If forwarding profiles exist but have no assignments, test result is **Investigate**

## Test output data

The test returns a list of configured traffic forwarding profiles with the following information:
- Profile name (e.g., "Microsoft traffic profile", "Internet access profile", "Private access profile")
- Profile type
- Status (enabled/disabled)
- Number of assigned users
- Number of assigned remote networks
- Creation date

Link to Global Secure Access configuration portal: [Microsoft Entra Admin Center - Global Secure Access](https://entra.microsoft.com/#view/Microsoft_AAD_GlobalSecureAccess/GlobalSecureAccessBlade)

## Remediation resources

To enable Global Secure Access in your organization, follow these steps:

1. **Verify licensing**: Ensure your organization has the appropriate licenses. Microsoft Entra Internet Access and Microsoft Entra Private Access require Microsoft Entra ID P1 or P2 as a prerequisite, plus either Microsoft Entra Suite or standalone Microsoft Entra Internet Access/Private Access licenses. For details, see [Global Secure Access licensing overview](https://learn.microsoft.com/en-us/entra/global-secure-access/overview-what-is-global-secure-access#licensing-overview).

2. **Assign administrator roles**: Assign the Global Secure Access Administrator role to designated administrators. See [Global Secure Access Administrator permissions](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#global-secure-access-administrator).

3. **Access Global Secure Access**: Navigate to the Microsoft Entra admin center and select Global Secure Access from the navigation menu. See [Quickstart: Access the Global Secure Access area](https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-get-started-with-global-secure-access).

4. **Configure traffic forwarding profiles**: Decide which profiles to enable:
- For Microsoft 365 traffic: Enable the [Microsoft traffic profile](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-microsoft-traffic-profile) and follow [How to manage the Microsoft traffic profile](https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-manage-microsoft-profile).
- For public internet and SaaS apps: Enable the [Internet access profile](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-internet-access) and follow [How to manage the Internet access profile](https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-manage-internet-access-profile).
- For private corporate resources: Enable the [Private access profile](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-private-access) and follow [How to manage the Private access profile](https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-manage-private-access-profile).

5. **Install the Global Secure Access client**: Deploy the client to user devices. See [How to install the Global Secure Access client](https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client).

6. **Assign users to forwarding profiles**: Once profiles are configured, assign users or remote networks to activate the feature. See [Assigning users to Global Secure Access](https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-assign-users-to-global-secure-access).

7. **Monitor and validate**: Use the Global Secure Access dashboard to verify that users are connected and traffic is flowing through the service. See [Global Secure Access logs and monitoring](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-global-secure-access-logs-monitoring).

## API Testing and Validation Notes

### Query 1 Endpoint Validation
- **Endpoint**: `https://graph.microsoft.com/beta/networkAccess/forwardingProfiles`
- **Status**: Documented in Microsoft Graph beta API; requires production validation
- **Expected Response Structure**: Array of forwarding profile objects
- **Required Permissions**: NetworkAccess.Read.All or Global Secure Access Administrator role

### Query 2 Endpoint Validation
- **Endpoint**: `https://graph.microsoft.com/beta/networkAccess/forwardingProfiles/{id}/users`
- **Status**: Documented in Microsoft Graph beta API; requires production validation
- **Dependencies**: Requires iterating through results of Query 1
- **Pagination**: May return paginated results for tenants with large user assignments
Loading