In this post, we will focus on Microsoft Traffic within Global Secure Access (GSA).

Previously, I wrote a post about Tenant Restriction.

2024.07.07 - [Microsoft 365/Entra] - Microsoft Entra ID. Set up tenant restrictions v2 by GSA (English)

Since both the article and the video required updates, and several new features have recently been added, I decided to rewrite this guide as the 2026 edition.

GSA functionality is broadly divided into three profiles:

• Microsoft Traffic
• Internet Access
• Private Access

Among them, Microsoft Traffic is designed to manage Microsoft service traffic. One of its core capabilities is Tenant Restriction, which helps prevent data leakage through personal accounts or unauthorized external tenants.

Even by using only Microsoft Traffic, organizations can block personal accounts and control access paths to external tenants at the network layer.

The following Microsoft documents were referenced during this configuration:

Global Secure Access and Universal Tenant Restrictions - Global Secure Access | Microsoft Learn

Configure Tenant Restrictions - Microsoft Entra ID - Microsoft Entra External ID | Microsoft Learn

Youtube: https://youtu.be/4FzfVHB-rdM

Step 1. Activate GSA

Entra Admin Center -> Global Secure Access -> Activate

Create a group that will be assigned to the policy.

Global Secure Access -> Connect -> Traffic forwarding -> Microsoft traffic profile -> Enable

User and group assignments -> View

Assigned -> Select items

Add user/group

Assign the target group.

Step 2. Enable Tenant Restriction

Entra Admin Center -> Cross-tenant access settings -> Default settings

Edit tenant restriction defaults

Create Policy

A Policy ID will be generated.

Configure the Allow settings.

Global Secure Access -> Settings -> Session management -> Universal Tenant Restriction -> Enable

Step 3. Install the Client and Verify Policy Application

Connect -> Client download -> Download Client

Proceed with the installation.

Verify the GSA installation status.

Confirm that the client is successfully connected.

Verify that access to external tenants is blocked.

Step 4. Allow Specific External Tenants

If you need to allow access to a specific external tenant:

External Identities -> Cross-tenant access settings -> Organizational settings -> Add organization

Search by Domain or Tenant ID and add the organization.

Select the Tenant restriction option.

Configure the Allow settings.

In future posts, I may also cover additional topics such as client deployment, Internet Access, and Private Access features in more detail.

Last post

2024.07.06 - [Microsoft 365/Entra ID] - Microsoft Entra ID. Set up tenant restrictions v2 by GPO (English)

Continuing from the previous post, this time we will proceed with setting tenant restrictions using GSA.

Youtube (English)

https://youtu.be/PIfHu4yPjN4

Step 1 is the same process as in the previous post.

The client PC has already been joined to Entra ID in advance.

Step 1: Configure default tenant restrictions v2

Entra Admin Center > Cross-tenant access settings > cross-tenant access settings > Default settings

Edit tenant restrictions defaults

Create Policy

The Policy ID is generated as shown below. Make sure to copy each value and keep them.

To set up a blocking policy for external accounts, configure it as shown below (default settings).

To block all external apps, configure the settings as shown below.

Step 2: Configure GSA

Click on Global Secure Access -> Activate to enable it.

Connect -> Traffic forwarding -> Activate each profile.

Proceed with assigning users and groups.

Assign to all users -> Yes

Secure -> Security profiles -> Create profile

Enter the profile name.

Link policy -> Existing policy

Link the default policy -> Proceed with the profile creation process.

Baseline profile

Change to Enabled status.

Step 3: Install GSA Client

Connect -> Client download

Download client (When deploying to actual users, Intune can be utilized.)

Proceed with the installation process of the GSA Client.

Sign in

Verify the connection status as shown below.

When logging in to a different tenant in Chrome, you can confirm that it is blocked as shown below.

The downside of the preview version is that the client has a Pause button.

Once officially released, it is expected to be built into the Windows service, similar to MDE.

I will discuss Tenant restriction settings.

The primary purpose of Conditional Access is to prevent company accounts from being accessed on personal devices. However, Conditional Access cannot prevent other company accounts from being accessed on company devices.

Of course, if a company device can access Naver Mail and Google Drive, it means the company is not very concerned about data leakage, and you may disregard this post.

To use M365, you need to open MS-related URLs such as office.com. Tenant Restriction is a concept used to prevent access with other company or personal accounts (such as outlook.com) during this time.

Youtube (English)

https://youtu.be/z-sVlZoz3y8

Technical article

Configure tenant restrictions - Microsoft Entra ID - Microsoft Entra External ID | Microsoft Learn

There are three main methods:

1. GSA
2. Company Proxy Equipment
3. GPO

The method using GSA requires a prior understanding of GSA.

I will cover that part separately later.

In this post, I will apply tenant restrictions using the third option, GPO.

Step 1: Configure default tenant restrictions v2

Entra Admin Center > Cross-tenant access settings > cross-tenant access settings > Default settings

Edit tenant restrictions defaults

Create Policy

The Policy ID is generated as shown below. Make sure to copy each value and keep them.

To set up a blocking policy for external accounts, configure it as shown below (default settings).

To block all external apps, configure the settings as shown below.

Step 2: Enable tenant restrictions on Windows managed devices (preview)

In the technical documentation, there are guidelines as shown below.

Tenant restrictions V2 on Windows is a partial solution that protects the authentication and data planes for some scenarios. It works on managed Windows devices and does not protect .NET stack, Chrome, or Firefox. The Windows solution provides a temporary solution until general availability of Universal tenant restrictions in Microsoft Entra Global Secure Access (preview).

-> Although the content is difficult to understand, it can be interpreted as indicating that the feature will be provided in a different way in the future. Currently, it is in the preview stage.

Download the ADMX files for the latest Windows GPO policies.

Download Administrative Templates (.admx) for Windows 11 2023 Update (23H2) from Official Microsoft Download Center

Once installed, the policy files will be saved to the following location.

Depending on the method of policy deployment in AD, copy the PolicyDefinitions folder to the appropriate location with only the necessary languages. (This part of the policy is related to AD, so we will not cover it here.)

Run gpmc.msc on the Domain Controller (DC).

Create a policy in the Organizational Unit (OU) that you will use for testing. Right-click and select "Edit".

Computer Configuration > Administrative Templates > Windows Components > Tenant Restrictions

Configure the settings as shown below.

Attempt to log in with a personal account on Edge.

Verify that access is blocked as shown below.

You can also see that access is blocked when attempting to log in with another tenant account.