Entra ID – Global Secure Access Client – Assign users and groups to forwarding profiles

Last Updated on June 5, 2024 by Michael Morten Sonne


In Public Preview as this post is written

This is not a part of my series about the Global Secure Access, but an add as new features in general is added – see the next parts for more.

To check out my series – check this out: Entra ID – Global Secure Access Client – Part 1, Entra ID – Global Secure Access Client – Part 2 and Entra ID – Global Secure Access Client – Setup of the Microsoft 365 Profile – Part 3 – check them out! More to come… 😉

Finally, with the Global Secure Access traffic forwarding features, you can designate specific users and groups to a traffic forwarding profile. This targeted assignment restricts the scope of the profile, providing a controlled and gradual rollout mechanism.

You will be able to apply any traffic forwarding profile (Microsoft 365, Private, or Internet) to a specific group of users and gradually expand its rollout to more users.

This article explains how to assign specific users and groups to a traffic forwarding profile.

Why is this new feature added to Secure Global Access a most?

Having the option to assign specific users and groups to a traffic forwarding profile is important for several reasons:

  • Controlled Rollout: This feature allows for a phased deployment, reducing the risk of widespread disruptions. You can test the new profile with a smaller group before a full-scale rollout.
  • Customization: Different users and groups may have different security needs and usage patterns. Assigning profiles specifically allows you to tailor the network and security settings to fit these unique requirements.
    • But here, it´s for now overall – and not on specific profiles to split it more up – we can hope in the future! 🤞
  • Risk Management: By limiting the scope of a new profile to specific users or groups, you can mitigate potential risks and identify issues early, preventing them from affecting the entire organization.
  • Compliance and Security: Certain groups may require stricter security measures due to regulatory or organizational policies. Assigning specific profiles ensures compliance with these standards without impacting the entire tenant.
    • But again here, it´s for now overall – and not on specific profiles to split it more up – we can hope in the future! 🤞
  • Flexibility and Scalability: This feature provides the flexibility to easily adjust and scale security policies as the organization grows or as new security threats emerge.


To assign traffic forwarding profiles to specific users or groups in your tenant, you must have the right access and installed clients as listed here:

  • Global Secure Access Administrator role in Microsoft Entra ID to view the traffic forwarding profile.
  • An Application Administrator role to assign the traffic profile to the selected users and groups.
  • The preview (for now) requires a Microsoft Entra ID P1 license. If needed, you can purchase licenses or get trial licenses here.
  • The minimum required Global Secure Access client version is 1.7.376.0 or later. Clients using versions below this will not receive the traffic forwarding profile assigned to the user.

Known limitations

As the known list is as this post is written

  • Group-based assignments requires a Microsoft Entra ID P1 or P2 license.
  • Traffic profiles are retrieved based on the Microsoft Entra user logged into the device, rather than the user logged into the client.
  • Group-based assignment is only supported for Security groups and Microsoft 365
    whose SecurityEnabled setting is set to True.
  • It may take up to 10-20 minutes for changes in a user’s profile status/assignments, such as addition or removal, to reflect in the client.
  • Multiple sessions/users logging on the same device is not supported.
  • If no Microsoft Entra user is logged in, the traffic profile is retrieved only if it’s assigned to all users. For instance, logging into the device as a local admin makes you part of the “all users” category.
  • The profiles assigned are determined by the user currently logged into the device, not necessarily the user used to log into the Global Secure Access Client.
  • Nested group memberships aren’t currently supported (like etc. License Assignments still not supports) so a user must be a direct member of the group assigned to the profile.

The new features added

Assign a Traffic forwarding profile to specific users and groups

When you enable a traffic forwarding profile, its default assignment depends on its current status:

  • Enabled Profile: The profile is assigned to all users by default, ensuring continuous service.
  • Disabled Profile: Upon enabling, the profile starts with zero users assigned, allowing for a controlled rollout to a specific set of users.

You can configure user and group assignments either before or after enabling the traffic profile. To start acquiring and forwarding traffic, you must enable the traffic profile. For more information, read more here: Global Secure Access (preview) traffic forwarding profiles – Global Secure Access | Microsoft Learn

The following screenshot illustrates this distinction:

  • The Internet Access profile is disabled and assigned to zero users and groups.
  • The Private Access profiles are enabled and assigned to all users.
  • The Microsoft 365 access profiles is assigned to only one group.
A mix of assigned to groups and for the hole tenant
Here as the default assignment – all enabled profiles is targeted all users

Assign users and group to a traffic profiles

Assign the tartet users and groups for the forwarding profiles

Here you can select the 0 Users, 0 Groups assigned link or All users assigned depening on the profiles current setup.

    • Select Add user/group .
    • Select the link for the assignment, select the users and/or groups from the list, and select the Select button.
    • The All list groups users and groups together. Select either the Users or Groups tab to narrow the list.
    The list of groups and users in your tenant to select to assign

    You can also use the Search box to find the user or group directly.

      • Select the Assign button to assign it to the profile in the last view under Add Assignment.

      Now you hare assigned a group/user the profile as listed here – good job! 😎

      Modify existing user and group assignments

      The process for changing user and group assignments for an already enabled traffic profile is very similar, with the following exceptions.

      • When you select the View link in the User and group assignments section, you need to change the Assign to all users setting to No.
      • Review the confirmation message to ensure you will do this, and then select OK.
      • Continue with the steps in the previous section for the other profiles.

      Apply the traffic profile to all users

      After assigning a traffic forwarding profile to a specific user or group, you can easily adjust the setting to apply the traffic profile to all users. If you later switch it back to a specific group, any users and groups originally assigned to that traffic forwarding profile remain unchanged, eliminating the need to re-add them.

      • Browse to Global Secure Access > Connect > Traffic forwarding.
      • Select the View link in the user and group assignments section.
      • Change the Assign to all users toggle to Yes, review the confirmation message, and select the OK button.
      • Select the Done button to save the configuration – then the profile will be added to all users in your tenant (default).

      Switch the assignment from all users back to a specific user or group

      You can revert the assignment of all users to a traffic profile. When you toggle off the assignment for all users, you revert to the users and groups that were assigned when you toggled it on.

      • Browse to Global Secure Access > Connect > Traffic forwarding.
      • Select the View link in the user and group assignments section.
      • Change the Assign to all users toggle to No, review the confirmation message, and select the OK button.
      • Select Done.

      Automatic assignment through dynamic groups

      To learn more about automatic assignment using user attributes, refer to the guide on creating or updating a dynamic group in Microsoft Entra ID.

      Dynamic groups are particularly beneficial and useful for managing etc. Entra ID PIM memberships and other related tasks – there is many usecases 😉

      Read more about this here: Create or edit a dynamic group and get status – Microsoft Entra ID | Microsoft Learn


      The overall conclusion is that these new features provide enhanced flexibility, control, and efficiency in managing traffic forwarding profiles within Globa Secure Access. The ability to assign profiles to specific users or groups allows for more targeted and controlled rollout (that is a need), ensuring that security measures can be tailored to individual needs.

      Additionally, the option to automate assignments based on user attributes streamlines administration and reduces manual effort.

      Overall, these additions significantly improve the management and customization of traffic forwarding profiles, contributing to a more secure and optimized network environment.

      And as always, it has been super nice to work together with the Product Team at Microsoft on this new exciting feature – and to see it all take shape! 🥳

      It was an enjoyable experience testing it during the Private Preview phase as a participant in the Microsoft Customer Connection Program! 😉🔐

      Let´s see what´s comming over the next time, as i´m sure some more nice stuff will come! 👌

      Thank you for taking the time to visit my blog. Kindly share it with others if you find it helpful for them! 😉🔐👍

      It’s important to note that while the Global Secure Access feature is currently in preview, and its licensing requirements may evolve as it progresses towards General Availability (GA)!

      Remember you can allways support me and my development of tools and creating of content and so via Why donate? – Blog – Sonne´s Cloud (sonnes.cloud)

      Stay tuned for the new post about something cool! 🥳


      Global Secure Access documentation – Global Secure Access | Microsoft Learn

      Learn about the Global Secure Access clients for Microsoft Entra Private Access and Microsoft Entra Internet Access – Global Secure Access | Microsoft Learn

      Previous Article

      Introducing a new tool - Lookup IP to DNS Tool - v.!

      Related Posts

      Discover more from Sonne´s Cloud

      Subscribe now to keep reading and get access to my free newsletter 🤝🧑‍💻

      Join 22 other subscribers

      There is options to pay for some content too, as not all can/is free for all - see more on my website