Introduction
Microsoft Entra Private Access has just reached a major milestone in its Zero Trust strategy. While access to internal resources was previously reserved for managed devices (joined or hybrid), the new BYOD (Bring Your Own Device) functionality now opens these resources to personal devices registered in Entra ID.
Good to know
The Microsoft Entra Private Access BYOD feature is currently in public preview. Registered devices only benefit from Private Access, not Internet Access.
This evolution addresses the growing need for flexibility in modern enterprises, while maintaining a high level of security through the Zero Trust Network Access (ZTNA) architecture.
Technical requirements and necessary licenses
Existing Private Access infrastructure
Implementing BYOD requires an operational Microsoft Entra Private Access configuration. This infrastructure forms the foundation on which personal device access will rely.
Tip
If you haven't yet deployed Private Access, consult the official documentation to establish your ZTNA infrastructure before enabling BYOD support.
Required Global Secure Access Client
The Global Secure Access Client version 2.26.108 or later is essential. This version brings native support for registered devices and guarantees an optimal user experience.
Download available in the Microsoft Entra administration center:
- Navigation: Global Secure Access > Connect > Client download
- Format: MSI package for manual or automated deployment
Simplified licensing model
Good to know
No additional licenses are required for BYOD. The feature is included in your existing Microsoft Entra Private Access license.
Recommended administrative roles
To respect the principle of least privilege, use these roles according to your needs:
- Global Secure Access Administrator: complete configuration
- Security Administrator: access policy management
- Cloud Application Administrator: private applications management
BYOD traffic forwarding configuration
Private Access profile configuration steps
Access the administration center
Sign in to the Microsoft Entra portal (https://entra.microsoft.com) with an account having appropriate privileges.
Navigate to Traffic Forwarding
Go to Global Secure Access > Connect > Traffic forwarding. This section centralizes redirection profile management.
Configure assignments
Under Private access profile, select User and group assignments. Add users or groups authorized to use their personal devices.
Warning
Ensure that only users authorized by your security policy are assigned to the BYOD profile. Too broad an assignment can create security risks.
Deployment of client on BYOD devices
Global Secure Access Client installation
Download the client
Retrieve the GlobalSecureAccessClient.exe file from the Entra administration portal.
Run the installation
Launch the installer with administrator privileges. The installation is automated and requires no manual configuration.
1# Silent installation for mass deployment2msiexec /i "GlobalSecureAccessClient.msi" /quiet /norestartVerify the installation
After installation, the client appears in the Windows system tray and is ready for first connection.
Device registration process
First connection and registration
On first launch, the Global Secure Access Client automatically initiates the device registration process.
User authentication
Enter your work credentials in the Microsoft authentication window.
Registration confirmation
When the system asks "Sign in to all apps, websites, and services on this device?", select Yes. This action registers the device as Entra registered in your tenant.
Restart and persistence
Restart the device to finalize registration. The connection will be automatically restored at startup.
Tip
Device registration creates a unique identity in Entra ID, enabling the application of conditional access policies specific to BYOD devices.
Connection status verification
Global Secure Access Client interface
The client interface displays three essential pieces of information:
| Element | Expected status | Meaning |
|---|---|---|
| Join type | Entra registered | Personal device registered |
| Private Access channel | Connected | Active secure tunnel |
| Organization | Tenant name | Tenant correctly identified |
Validation in the administration portal
To confirm registration on the server side:
1# PowerShell script to verify registration2Connect-MgGraph -Scopes "Device.Read.All"3$user = Get-MgUser -UserId "user@domain.com"4Get-MgUserRegisteredDevice -UserId $user.Id | Select-Object DisplayName, DeviceId, RegistrationDateTime
Useful PowerShell scripts for administration
Report of registered BYOD devices
1# Generate a report of BYOD devices2Connect-MgGraph -Scopes "Device.Read.All", "User.Read.All"3 4$registeredDevices = Get-MgDevice -Filter "trustType eq 'Workplace'" -All5$report = @()6 7foreach ($device in $registeredDevices) {8 $owner = Get-MgDeviceRegisteredOwner -DeviceId $device.Id9 $report += [PSCustomObject]@{10 DeviceName = $device.DisplayName11 DeviceId = $device.DeviceId12 Owner = $owner.AdditionalProperties.userPrincipalName13 RegistrationDate = $device.RegistrationDateTime14 LastActivity = $device.ApproximateLastSignInDateTime15 }16}17 18$report | Export-Csv -Path "BYOD_Devices_Report.csv" -NoTypeInformationCleanup of inactive devices
1# Identify and remove BYOD devices inactive for more than 90 days2$inactiveDate = (Get-Date).AddDays(-90)3$staleDevices = Get-MgDevice -Filter "trustType eq 'Workplace' and approximateLastSignInDateTime lt $inactiveDate" -All4 5foreach ($device in $staleDevices) {6 Write-Host "Removing inactive device: $($device.DisplayName)"7 Remove-MgDevice -DeviceId $device.Id -Confirm:$false8}Security considerations and best practices
Recommended conditional access policy
Warning
Implement conditional access policies specific to BYOD devices to maintain an appropriate level of security.
Examples of recommended controls:
- Multi-factor authentication mandatory for all BYOD access
- Device compliance: updated antivirus, encryption enabled
- Geographic restrictions according to your needs
- Time-limited sessions
Monitoring and audit
Enable detailed logging to track:
- Connection attempts from BYOD devices
- Access to sensitive resources
- Behavioral anomalies
Glossary of technical terms
| Term | Definition |
|---|---|
| BYOD (Bring Your Own Device) | Policy enabling the use of personal devices to access company resources |
| Entra registered | Registration type for personal devices in Microsoft Entra ID |
| Zero Trust Network Access (ZTNA) | Security architecture verifying each access without implicit trust |
| Global Secure Access Client | Software agent enabling secure connection to resources via Entra |
| Private Access Profile | Configuration defining accessible resources and authorized users |
Conclusion
Microsoft Entra Private Access BYOD represents a significant advance in modern access management. By enabling secure integration of personal devices without compromising security, this solution addresses current hybrid work challenges while maintaining Zero Trust principles.
Organizations can now gradually abandon traditional VPN solutions in favor of a unified architecture, offering improved user experience and simplified management.
Useful links and resources
Official Microsoft documentation
- Microsoft Entra Private Access overview
- Global Secure Access Client deployment guide
- Conditional access policy configuration
