Forum Discussion

KaranS340's avatar
KaranS340
Copper Contributor
May 12, 2025

Entra Private Access: Location awareness- GSA Client

Hi there,

I’ve recently started researching Entra Private Access, and it looks promising. However, one thing I have noticed in various online discussions is that the GSA client installed on end-user machines isn't location aware. That is, even when a user is working from the office, the client continues to tunnel traffic, which results in added latency.

Technically speaking, if an end user is in the office, the client should automatically detect this and disable itself. Unfortunately, this doesn't seem to be the case with the current GSA client.

So, does anyone—especially from the Entra Team—know if there are any plans to include a feature that mitigates this issue in the future?

Thanks,

 

Article: Entra Private Access - disable when on-prem? : r/sysadmin

Azure Active Directory (AAD)
configuration
microsoft entra

1 Reply

Sort By
  • micheleariis's avatar
    micheleariis
    Steel Contributor
    May 19, 2025

    Hi, as of may 2025, the global secure access (gsa) client always tunnels traffic to the cloud service if there’s a forwarding profile that matches, even when the device is on the corporate lan. there’s no native “trusted network detection” yet to auto-disable the tunnel. microsoft’s docs only mention two manual options: disable the entire client, or just disable private access.

    this behavior is confirmed by multiple microsoft q&a threads from recent months. product engineers suggest workarounds like bypass rules or intune scripts, but there’s still no ga feature for auto-bypass.

    microsoft announced “intelligent local access” back in 2023: the idea is for the client to detect when it’s on a trusted network and skip tunneling, while still enforcing conditional access. but it’s not available yet—no public preview, and nothing in the 2.18 client release notes. insiders say the first internal builds are being tested, but no ga date has been announced.

    in the meantime, you can work around this with options like:
    – intune script that disables private access if a known dns/ip is reachable
    – enable the manual “disable private access” button in the tray via registry
    – custom bypass in your forwarding profile (if licensed)
    – split tunnel setup using legacy vpn inside the lan and gsa outside

    Stay on the latest client, use the workaround that fits your setup, and monitor the “what’s new in entra” channel. if you want to push microsoft, vote on feedback portal or file a support case referencing internal feature id 148970.

Resources