**✅ Project 6 – Deploy the Global Secure Access Client**

**Scenario**
Your organization is transitioning to a Zero Trust architecture. To control user traffic at the identity layer—without relying on legacy VPN or perimeter devices—you plan to deploy the **Global Secure Access (GSA) client** to enrolled Windows devices.

This deployment enables **Entra Private Access (for internal LOB apps)** and **Entra Internet Access (for SaaS and M365 traffic)**, allowing Conditional Access policies to enforce decisions based on traffic direction, identity, and device compliance.

The GSA client is required for all downstream configurations and policy enforcement.

**Step-by-Step Action Flow (Simulated)**
1. Go to Microsoft Intune Admin Center
Navigate to:
Microsoft Intune → Devices → Configuration profiles

**2. Create a new profile for GSA**
Click + Create profile
Platform: Windows 10 and later
Profile type: Settings catalog
Name: Deploy GSA Client – Corp Devices
Click Next

**3. Configure GSA client installation setting**
Search catalog for: Global Secure Access
Enable:
Install the Microsoft Global Secure Access client → Enabled
Click Next → Assign the profile to the device group containing your corporate Windows endpoints
(e.g., group name: Windows – Corp Devices)

**4. Confirm installation on endpoints**
After the policy syncs, validate:
A background service gsa.exe is running
The system tray displays the GSA client icon
Client registration succeeded (visible in GSA Admin Portal → Devices)

**Terminology Clarification**
**Term**	                      **Clarified Definition**
**Global Secure Access (GSA)**	Microsoft's modern traffic control plane. It routes user traffic via Microsoft’s edge and enforces identity-aware policies. GSA is a container for two services: Private Access and Internet Access.

**GSA Client**	An endpoint agent required for routing traffic through GSA. Similar to a VPN agent, but policy-aware and linked to Entra identity and device posture.

**Private Access**	Secures access to internal apps (e.g., line-of-business apps hosted in corp datacenters or private cloud) without exposing them to the internet.

**Internet Access**	Enforces traffic control and Conditional Access for external SaaS or M365 apps. Used to prevent unmanaged devices from accessing unmanaged tenants.

**Forwarding Profile**	A routing rule that determines which traffic (e.g., based on FQDN-Fully Qualified Domain Name), IP) is sent through the GSA agent.

**⚠ Important Distinction:**
**Installing the client does nothing on its own—until a forwarding profile and access policy are configured (see Projects 7–10). This step simply lays the foundation.**

**Result**
**All assigned Windows devices now have the GSA client installed and ready to receive routing and enforcement policies from the GSA control plane. Traffic routing is not active until subsequent configurations are made.**

**Entra Control Stack Mapping**
**Layer**	     **Status**	     **Explanation**

**Layer 1 – Authority Definition**	✅ Touched	Requires Intune Role permissions to deploy configuration profiles

**Layer 2 – Scope Boundaries**	✅ Defined	Scope is applied via device groups; different departments/regions can have different routing assignments

**Layer 3 – Test Identity Validation**	✅ Confirmed	Client installation validated; user sign-in triggers registration with GSA backend

**Layer 4 – External Entry Controls**	❌ Not Yet Applied	No B2B traffic or external access is controlled yet

**Layer 5 – Privilege Channels**	✅ Structured	Device configuration is delivered through Intune as trusted pipeline

**Layer 6 – Device Trust Enforcement**	✅ Initiated	Client lays groundwork for enforcing traffic rules based on device state

**Layer 7 – Continuous Verification**	✅ Supported	Logs from GSA and Intune provide traceability, and client status can be monitored continuously


**Observations and Follow-Up**

The GSA client enables real-time session enforcement for traffic direction.

Without proper forwarding profiles and access policies, the client has no effect.

Later projects will define traffic routing (Private vs. Internet) and policy enforcement (Conditional Access).

Device groups must be well-managed to avoid over-provisioning the GSA client to unintended devices.

Recommend integrating with device compliance signals (via Intune or Defender) to strengthen enforcement.

**✅ Entra Control Stack: Micro-Project Series Tracker**
**Project**	     **Title**
✅ 1	Add a New Guest User
✅ 2	Change a Global Administrator to a Privileged Role Administrator
✅ 3	Assign User Administrator Role at AU Scope
✅ 4	Remove a Stale User Account
✅ 5	Create a Group and Assign Role
✅ 6	Deploy the Global Secure Access Client
🔜 7	Configure Entra Private Access for Internal App
🔜 8	Configure Entra Internet Access for SaaS Control
🔜 9	Secure Microsoft 365 Traffic with Internet Access
🔜10	Enforce Conditional Access with GSA Routing