Merge pull request #6406 from MicrosoftDocs/main

Merge main to live, 4 AM

docs/global-secure-access/concept-internet-access.md

@@ -5,7 +5,7 @@ author: kenwith
 ms.author: kenwith
 manager: amycolannino
 ms.topic: conceptual
-ms.date: 02/29/2024
+ms.date: 12/23/2024
 ms.service: global-secure-access
 ms.subservice: entra-internet-access 
 ms.reviewer: frankgomulka
@@ -47,14 +47,7 @@ Once you link a security profile to a Conditional Access (CA) policy, if multipl
 
 ## Known limitations
 
-- Platform assumes standard ports for HTTP/S traffic (ports 80 and 443).
-- IPv6 isn't supported on this platform yet.
-- UDP isn't supported on this platform yet.
-- User-friendly end-user notifications are in development.
-- Remote network connectivity for Internet Access is in development.
-- Transport Layer Security (TLS) termination is in development.
-- URL path based filtering and URL categorization for HTTP and HTTPS traffic are in development.
-- Currently, an admin can create up to 100 web content filtering policies and up to 1,000 rules based on up to 8,000 total FQDNs. Admins can also create up to 256 security profiles.
+[!INCLUDE [known-limitations-include](../includes/known-limitations-include.md)]
 
 ## Next steps
 

docs/global-secure-access/concept-universal-conditional-access.md

@@ -1,9 +1,9 @@
 ---
-title: Learn about Universal Conditional Access through Global Secure Access
+title: Learn about Universal Conditional Access Through Global Secure Access
 description: Learn about how Microsoft Entra Internet Access and Microsoft Entra Private Access secures access to your resources through Conditional Access.
 ms.service: global-secure-access
 ms.topic: conceptual
-ms.date: 11/05/2024
+ms.date: 12/23/2024
 ms.author: kenwith
 author: kenwith
 manager: amycolannino
@@ -32,10 +32,7 @@ One example is if you block access to the Internet access target resource on non
 
 ### Other known limitations
 
-- Continuous access evaluation isn't currently supported for Universal Conditional Access for Microsoft traffic.
-- Applying Conditional Access policies to Private Access traffic isn't currently supported. To model this behavior, you can apply a Conditional Access policy at the application level for Quick Access and Global Secure Access apps. For more information, see [Apply Conditional Access to Private Access apps](how-to-target-resource-private-access-apps.md).
-- Microsoft traffic can be accessed through remote network connectivity without the Global Secure Access Client; however the Conditional Access policy isn't enforced. In other words, Conditional Access policies for the Global Secure Access Microsoft traffic are only enforced when a user has the Global Secure Access Client.
-
+[!INCLUDE [known-limitations-include](../includes/known-limitations-include.md)]
 
 ## Conditional Access policies
 

docs/global-secure-access/concept-universal-continuous-access-evaluation.md

@@ -3,7 +3,7 @@ title: Learn about Universal Continuous Evaluation (Preview)
 description: Learn about Universal Continuous Evaluation concepts
 ms.service: global-secure-access
 ms.topic: conceptual
-ms.date: 11/11/2024
+ms.date: 12/23/2024
 ms.author: alexpav
 author: idmdev
 manager: sineado
@@ -30,7 +30,7 @@ Here are some examples of how Universal CAE benefits your organization when Entr
 
 Global Secure Access relies on Entra ID access tokens to authenticate to the service tunnels (Microsoft traffic, Internet Access, and Private Access traffic forwarding profiles). Access tokens are valid between 60 and 90 minutes. Before access token expiration, the GSA client uses the Entra ID refresh token to obtain a new access token.
 
-As per the OAuth2 specification, access tokens are valid until expired. For example, when you disable a user account, Entra ID invalidiates refresh tokens immediately, but it takes up to 90 minutes for the GSA access tokens to expire.
+As per the OAuth2 specification, access tokens are valid until expired. For example, when you disable a user account, Entra ID invalidates refresh tokens immediately, but it takes up to 90 minutes for the GSA access tokens to expire.
 
 With Universal CAE, changes to user identity are communicated to Global Secure Access in near real time. Even though the access token is still valid, Global Secure Access sends a special claims challenge back to the end user, requiring the user to reauthenticate. If the user is unable to complete Entra ID authentication challenge, network access through GSA is blocked. Universal CAE shortens the time window between Entra ID account state change and requiring the user to reauthenticate, reducing the risk of data exfiltration by a departing employee.
 
@@ -58,10 +58,7 @@ Entra ID Conditional Access can be used to control CAE behavior in your tenant.
 
 ## Known limitations
 
-* Only Windows versions of Global Secure Access client, starting with version 1.8.239.0, are aware of Universal CAE. Other clients use regular access tokens.
-* Entra ID issues short lived tokens for Global Secure Access. Universal CAE access token lifetime is between 60 and 90 minutes, with support for near real-time revocation.
-* It takes approximately 2 to 5 minutes for the Entra ID signal to reach the Global Secure Access client and prompt the user to reauthenticate
-* The user has a grace period of 2 minutes after receiving a CAE event to complete reauthentication. After 2 minutes, existing network flows through GSA are interrupted until the user successfully signs in to the GSA client.
+[!INCLUDE [known-limitations-include](../includes/known-limitations-include.md)]
 
 ## Related content
 

docs/global-secure-access/how-to-assign-traffic-profile-to-remote-network.md

@@ -1,11 +1,11 @@
 ---
-title: How to assign a remote network to a traffic forwarding profile for Global Secure Access
+title: How to Assign a Remote Network to a Traffic Forwarding Profile for Global Secure Access
 description: Learn how to assign a remote network to a traffic forwarding profile for Global Secure Access.
 author: kenwith
 ms.author: kenwith
 manager: amycolannino
 ms.topic: how-to
-ms.date: 02/29/2024
+ms.date: 12/23/2024
 ms.service: global-secure-access
 
 ---
@@ -28,7 +28,7 @@ To assign a remote network to a traffic forwarding profile to, you must have:
 
 ### Known limitations
 
-- At this time, remote networks can only be assigned to the Microsoft traffic forwarding profile.
+[!INCLUDE [known-limitations-include](../includes/known-limitations-include.md)]
 
 ## Assign the Microsoft traffic profile to a remote network
 

docs/global-secure-access/how-to-compliant-network.md

@@ -1,9 +1,9 @@
 ---
-title: Enable compliant network check with Conditional Access
+title: Enable Compliant Network Check with Conditional Access
 description: Learn how to require known compliant network locations in order to connect to your secured resources with Conditional Access.
 ms.service: global-secure-access
 ms.topic: how-to
-ms.date: 10/31/2024
+ms.date: 12/23/2024
 ms.author: kenwith
 author: kenwith
 manager: amycolannino
@@ -36,11 +36,7 @@ The compliant network is different than [IPv4, IPv6, or geographic locations](..
 
 ### Known limitations
 
-- Compliant network check data plane enforcement (preview) with Continuous Access Evaluation is supported for SharePoint Online and Exchange Online.
-- Enabling Global Secure Access Conditional Access signaling enables signaling for both authentication plane (Microsoft Entra ID) and data plane signaling (preview). It is not currently possible to enable these settings separately.
-- Compliant network check is currently not supported for Private Access applications.
-- After a Windows device resumes from sleep or hibernate, the Teams client may display an error banner prompting the user to sign in. This happens because the Teams client is attempting to connect to SharePoint online prior to the GSA client establishing a tunnel for the Microsoft traffic profile, which fails the Compliant Network check. Clicking the 'Sign In' button after the GSA client is reconnected will resume the user session in Teams.
-
+[!INCLUDE [known-limitations-include](../includes/known-limitations-include.md)]
 
 ## Enable Global Secure Access signaling for Conditional Access
 

docs/global-secure-access/how-to-configure-per-app-access.md

@@ -1,11 +1,11 @@
 ---
-title: How to configure per-app access using Global Secure Access applications
+title: How to Configure Per-app Access Using Global Secure Access Applications
 description: Learn how to configure per-app access to your private, internal resources using Global Secure Access applications for Microsoft Entra Private Access.
 author: kenwith
 ms.author: kenwith
 manager: amycolannino
 ms.topic: how-to
-ms.date: 11/10/2024
+ms.date: 12/23/2024
 ms.service: global-secure-access
 ms.subservice: entra-private-access
 ms.reviewer: katabish
@@ -30,9 +30,7 @@ To manage Microsoft Entra private network connector groups, which is required fo
 
 ### Known limitations
 
-- Avoid overlapping app segments between Quick Access and Global Secure Access apps.
-- Tunneling traffic to Private Access destinations by IP address is supported only for IP ranges outside of the end-user device local subnet.
-- At this time, Private Access traffic can only be acquired with the Global Secure Access client. Remote networks can't be assigned to the Private access traffic forwarding profile.
+[!INCLUDE [known-limitations-include](../includes/known-limitations-include.md)]
 
 ## High level steps
 

docs/global-secure-access/how-to-configure-quick-access.md

@@ -1,11 +1,11 @@
 ---
-title: How to configure Quick Access for Global Secure Access
+title: How to Configure Quick Access for Global Secure Access
 description: Learn how to specify the internal resources to secure with Microsoft Entra Private Access using a Quick Access app.
 author: kenwith
 ms.author: kenwith
 manager: amycolannino
 ms.topic: how-to
-ms.date: 09/03/2024
+ms.date: 12/23/2024
 ms.service: global-secure-access
 ms.subservice: entra-private-access
 ms.reviewer: katabish
@@ -28,13 +28,8 @@ To manage Microsoft Entra private network connector groups, which is required fo
 - Microsoft Entra ID P1 or P2 licenses
 
 ### Known limitations
-Avoid overlapping app segments between Quick Access and per-app access.
 
-Tunneling traffic to Private Access destinations by IP address is supported only for IP ranges outside of the end-user device local subnet.
-
-At this time, Private access traffic can only be acquired with the Global Secure Access client. Remote networks can't be assigned to the Private Access traffic forwarding profile.
-
-The GSA client creates NRPT policies to route DNS queries for Private DNS suffixes through the tunnel. In some cases, the NRPT policies fail to be created. Check using Get-DNSClientNRPTPolicy. This happens because of a malformed GPO that applies NRPT settings. Use this script to identify the offending policy and delete it after moving the relevant settings to other policies. Please edit the script and modify the variables as per your environment. https://github.com/microsoft/GlobalSecureAccess/blob/main/website/content/FindDNSNRPTGPO.ps1
+[!INCLUDE [known-limitations-include](../includes/known-limitations-include.md)]
 
 ## High level steps
 

docs/global-secure-access/how-to-create-remote-networks.md

@@ -1,11 +1,11 @@
 ---
-title: How to create remote networks
-description: Learn how to create remote networks, such as branch office locations, for Global Secure Access.
+title: How to Create Remote Networks
+description: Learn how to create remote networks, for remote locations such as branch offices, for Global Secure Access.
 ms.author: jayrusso
 author: HULKsmashGithub
 manager: amycolannino
 ms.topic: how-to
-ms.date: 10/04/2024
+ms.date: 12/23/2024
 ms.service: global-secure-access
 ms.reviewer: absinh
 
@@ -37,9 +37,7 @@ To configure remote networks, you must have:
 
 ### Known limitations
 
-- The number of remote networks per tenant is limited to 10. The number of device links per remote network is limited to four.
-- Microsoft traffic is accessed through remote network connectivity without the Global Secure Access client. However, the Conditional Access policy isn't enforced. In other words, Conditional Access policies for the Global Secure Access Microsoft traffic are only enforced when a user has the Global Secure Access client.
-- You must use the Global Secure Access client for Microsoft Entra Private Access. Remote network connectivity only supports Microsoft Entra Internet Access.
+[!INCLUDE [known-limitations-include](../includes/known-limitations-include.md)]
 
 ## High-level steps
 

docs/global-secure-access/how-to-install-android-client.md

@@ -1,13 +1,16 @@
 ---
-title: The Global Secure Access client for Android
-description: Install the Global Secure Access Android client.
+title: The Global Secure Access Client for Android
+description: The Global Secure Access client secures network traffic at the end-user device. This article describes how to download and install the Android client app.
 ms.service: global-secure-access
 ms.topic: how-to
-ms.date: 12/16/2024
+ms.date: 12/23/2024
 ms.author: jayrusso
 author: HULKsmashGithub
 manager: amycolannino
 ms.reviewer: dhruvinrshah
+
+
+# Customer intent: As an administrator, I want to set up and deploy the Global Secure Access mobile client for Android devices.
 ---
 # Global Secure Access client for Android
 
@@ -28,12 +31,7 @@ This article explains the prerequisites and how to deploy the client onto Androi
 
 ### Known limitations
 
-- Mobile devices running *Android (Go edition)* aren't currently supported.
-- Microsoft Defender for Endpoint on Android *on shared devices* isn't currently supported.
-- Tunneling IPv6 traffic isn't currently supported.
-- Private Domain Name System (DNS) must be disabled on the device. This setting is often found in the System > Network and Internet options.
-- Running non-Microsoft endpoint protection products alongside Microsoft Defender for Endpoint might cause performance problems and unpredictable system errors.
-- Global Secure Access (GSA) coexistence with Microsoft Tunnel isn't currently supported. For more information, see [Prerequisites for the Microsoft Tunnel in Intune](/mem/intune/protect/microsoft-tunnel-prerequisites).
+[!INCLUDE [known-limitations-include](../includes/known-limitations-include.md)]
 
 ## Supported scenarios
 

docs/global-secure-access/how-to-install-ios-client.md

@@ -1,9 +1,9 @@
 ---
-title: The Global Secure Access client for iOS (Preview)
+title: The Global Secure Access Client for iOS (Preview)
 description: The Global Secure Access client secures network traffic at the end-user device. This article describes how to download and install the iOS client app.
 ms.service: global-secure-access
 ms.topic: how-to
-ms.date: 12/16/2024
+ms.date: 12/23/2024
 ms.author: jayrusso
 author: HULKsmashGithub
 manager: amycolannino
@@ -50,8 +50,8 @@ The Global Secure Access client for iOS supports installation on both modes of e
 The Global Secure Access client for iOS supports the Microsoft traffic forwarding profile and the Private Access traffic forwarding profile. For more information, see [Global Secure Access traffic forwarding profiles](concept-traffic-forwarding.md).
 
 ## Known limitations
-- Tunneling Quick User Datagram Protocol (UDP) Internet Connections (QUIC) traffic (except for Exchange Online) isn't supported.
-- Global Secure Access (GSA) coexistence with Microsoft Tunnel isn't currently supported. For more information, see [Prerequisites for the Microsoft Tunnel in Intune](/mem/intune/protect/microsoft-tunnel-prerequisites).
+
+[!INCLUDE [known-limitations-include](../includes/known-limitations-include.md)]
 
 ## Installation Steps
 ### Deploy on Device Administrator enrolled devices with Microsoft Intune

docs/global-secure-access/how-to-install-macos-client.md

@@ -1,9 +1,9 @@
 ---
-title: The Global Secure Access client for macOS
+title: The Global Secure Access Client for macOS
 description: The Global Secure Access client secures network traffic at the end-user device. This article describes how to download and install the macOS client.
 ms.service: global-secure-access
 ms.topic: how-to
-ms.date: 12/16/2024
+ms.date: 12/23/2024
 ms.author: jayrusso
 author: HULKsmashGithub
 manager: amycolannino
@@ -219,35 +219,8 @@ The settings window contains two tabs:
 :::image type="content" source="media/how-to-install-macos-client/macos-client-troubleshooting-toggles.png" alt-text="Screenshot of the macOS Settings and Troubleshooting view, with the Troubleshooting tab selected.":::	
 
 ## Known limitations
-Known limitations for the current version of the Global Secure Access client include:
-
-### Secure Domain Name System (DNS)
-If Secure DNS is enabled on the browser or in macOS and the DNS server supports Secure DNS, then the client doesn't tunnel traffic set to be acquired by FQDN. (Network traffic that's acquired by IP isn't affected and is tunneled according to the forwarding profile.) To mitigate the Secure DNS issue, disable Secure DNS, set a DNS server that doesn't support Secure DNS, or create rules based on IP.
-
-### IPv6 not supported
-The client tunnels only IPv4 traffic. IPv6 traffic isn't acquired by the client and therefore routed directly to the network.
-To make sure that all traffic is routed to Global Secure Access, disable IPv6.
-
-### Connection fallback
-If there's a connection error to the cloud service, the client falls back to either direct Internet connection or blocking the connection, based on the ***hardening*** value of the matching rule in the forwarding profile.
-
-### Geolocation of source IP address
-For network traffic that is tunneled to the cloud service, the application server (website) detects the connection's source IP as the edge's IP address (and not as the user-device's IP address). This scenario might affect services that rely on geolocation.
-> [!TIP]
-> For Office 365 and Entra to detect the device's true source IP, consider enabling [Source IP restoration](how-to-source-ip-restoration.md).
-
-### Virtualization support with UTM
-- When the network is in **bridged** mode and Global Secure Access client is installed on the host machine:
-    - If the Global Secure Access client is installed on the virtual machine, network traffic of the virtual machine is subject to its local policy. The host machine's policy doesn't affect the forwarding profile on the virtual machine.
-    - If the Global Secure Access client *isn't* installed on the virtual machine, network traffic of the virtual machine is bypassed.
-- The Global Secure Access client doesn't support network **shared** mode because it might block the network traffic of the virtual machine.
-- If the network is in **shared** mode, you can install the Global Secure Access client on a virtual machine running macOS, as long as the client isn't also installed on the host machine.
-
-### QUIC not supported for Internet Access
-Since QUIC isn't yet supported for Internet Access, traffic to ports 80 UDP and 443 UDP can't be tunneled.
-> [!TIP]
-> QUIC is currently supported in Private Access and Microsoft 365 workloads.
-Administrators can disable QUIC protocol on browsers, triggering clients to fall back to HTTPS over TCP, which is fully supported in Internet Access. For more information, see [QUIC not supported for Internet Access](troubleshoot-global-secure-access-client-diagnostics-health-check.md#quic-not-supported-for-internet-access).
+
+[!INCLUDE [known-limitations-include](../includes/known-limitations-include.md)]
 
 ## Related content
 - [Global Secure Access client for Microsoft Windows](how-to-install-windows-client.md)