![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 96%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGB%3C/text%3E%3C/svg%3E)
Microsoft Entra Private Access
Microsoft Entra Private Access provides secure and deep identity-aware, Zero Trust network access to all private apps and resources.
66 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Hello @Gerardo Barboza,
Thank you for posting your query on Microsoft Q&A.
It seems you're experiencing issues with Microsoft Entra Private Access, specifically seeing "Breakglass enabled" and "Magic IP Received" errors when using the Global Secure Access client on a Windows 11 VM.
If Break-glass mode is enabled, the client is not expected to tunnel any traffic.
Based on the screenshot you shared, I see you've enabled the Private Access profile, which should allow the client to capture traffic and send it to the Global Secure Access service. If you made this change to the Private Access profile in the portal within the last hour, I recommend waiting an hour to ensure the updated forwarding profile is received by the clients.
Have you checked if the forwarding profile registry key is correctly configured on the device?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Global Secure Access Client
Since you've already enabled the forwarding profile, it's possible that the client is having trouble connecting to the GSA backend service. I suggest you also examine the GSA client boot-trace ETL for more details.
Start the Connection Diagnostics
Click on Global Secure Access tray icon:
- Right click the tray Icon and press the Connection Diagnosis menu item.
- On the Summary tab, check when the policy was last updated and verify the policy version.
Magic IP received for FQDN
This check verifies that the client is able to acquire traffic by FQDN. As the test fails:
- Restart the client and test again.
Please follow the troubleshooting checklist to review the logs:
Global Secure Access Client Windows Troubleshooting Checklist
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Thanks,
Raja Pothuraju.