Microsoft Entra ID · Global Secure Access

Global Secure Access Administrator

Can manage Microsoft Entra Private Access and Internet Access, configure traffic policies, and manage network security features.

Scope: Full administrative control over Global Secure Access (SSE) including Private Access and Internet Access

Permissions

  • Configure Private Access apps
  • Manage Internet Access policies
  • Configure traffic forwarding
  • Manage connector groups
  • View network traffic logs
  • Configure security profiles
  • Manage compliant network policies

Common use cases

  • Zero Trust Network Access configuration
  • Private app access without VPN
  • Internet traffic security policies
  • Conditional Access integration
  • Network traffic monitoring
  • Secure access service edge (SASE) management

Best practices

  • Start with Private Access for internal apps
  • Integrate with Conditional Access policies
  • Monitor traffic logs for anomalies
  • Configure appropriate traffic profiles
  • Use compliant network checks in CA
  • Document app segment configurations

Security considerations

  • Controls network-level access to resources
  • Traffic policies affect connectivity
  • Private Access replaces VPN - critical infrastructure
  • Internet Access affects web filtering
  • Monitor for policy misconfigurations
  • This is a PRIVILEGED role due to network access control

Common questions

When should I assign the Global Secure Access Administrator role?

Assign Global Secure Access Administrator when you need to: Zero Trust Network Access configuration; Private app access without VPN; Internet traffic security policies; Conditional Access integration; and Network traffic monitoring. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Global Secure Access Administrator role do?

The Global Secure Access Administrator role grants permissions including: Configure Private Access apps; Manage Internet Access policies; Configure traffic forwarding; Manage connector groups; View network traffic logs; and Configure security profiles. See the Permissions section above for the full list.

What are the security risks of the Global Secure Access Administrator role?

Key considerations when assigning Global Secure Access Administrator: Controls network-level access to resources; Traffic policies affect connectivity; Private Access replaces VPN - critical infrastructure; and Internet Access affects web filtering. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →