Implement Intelligent Local Access for Private Access

Implementation Effort: Medium

User Impact: Medium

Overview

In a Zero Trust network model, security posture must remain consistent regardless of user location—whether remote or on-premises. Today, Entra Private Access (PA) sends all traffic, both application and authentication, over the SSE / Private Access service, regardless of the user's location. This results in network backhauling, which negatively impacts user experience by adding latency and slowing down the network significantly.

With the Intelligent Local Access (ILA) feature, this is addressed via intelligent network routing. The Global Secure Access (GSA) client uses DNS probes to determine if the client is inside the corporate network, then intelligently routes traffic—either through the cloud backend for remote users or directly to local resources when on-premises—while maintaining consistent security policies.

Key Zero Trust outcomes for Intelligent Local Access:

• DNS-based network detection: GSA client automatically identifies corporate network presence through DNS probes
• Conditional bypass for on-premises access: Private Access applications can bypass cloud routing when users are on corporate network
• Consistent security posture: Identity and context-based policies apply regardless of traffic routing path
• Reduced latency and improved user experience: Eliminates network hair pinning and backhauling for on-premises users
• Per-application control: Granularly define which Private Access apps should use ILA vs. always route through cloud

Implementation steps:

• Configure Private networks in Global Secure Access with DNS servers for network detection
• Define FQDN probes with resolved IP addresses (IP address, IP range CIDR, or IP range) to identify corporate network
• Select target resources (Quick Access or PA enterprise apps) that should use local bypass when on corporate network
• Verify ILA flow using Advanced Diagnostics client (confirm Connection Status shows "Bypassed" and Action shows "Local")

Reference

• Enable Intelligent Local Access (preview)
• Understand Private Access