![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 25%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENB%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra Internet Access
Securing internet traffic from devices with identity-aware web filtering and threat protection
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPC%3C/text%3E%3C/svg%3E)
Hi @Neil Beytagh,
Thank you for posting your query on Microsoft Q&A.
As per our understanding, your users are experiencing conditional access policy failures in Microsoft Entra due to private IPv6 addresses being reported during sign-ins while using Global Secure Access (GSA) and the Entra Internet profile. Your intent was to enforce access based on geographic location, but the sign-in process is instead seeing private IPv6 addresses, which have no public geolocation data, causing location-based Conditional Access (CAP) to block these sessions. Despite attempts to prefer or disable IPv6 and some workarounds, the problem persists.
- Global Secure Access tunnels traffic through virtual network interfaces, often assigning a private (non-routable) IPv6 address on the client.
- Microsoft Entra Conditional Access location-based policies require a public IP address to identify location; private IPs (including those starting with fe80::/64) cannot be mapped to a location and thus fail the policy.
- Disabling IPv6 at the network adapter may not affect the GSA virtual adapter, so the problem persists after endpoint-level changes.
Please follow the steps below to solve the issue:
- Define your GSA Egress IP Ranges as Named Locations:
- In the Entra admin center, go to Identity > Conditional Access > Named locations.
- Click New location and enter the public IP address ranges (IPv4/IPv6) your GSA service uses to egress to the internet. Mark these as "trusted location". You may need to coordinate with your network or security team to confirm these addresses.
- Update your Conditional Access Policy:
- Go to your location-based policy and, under Locations, include your new GSA egress “named location” entries in the Allow list or exclude them from the conditional check to permit sign-ins from these ranges.
- Check IPv6 Settings on GSA Adapter:
- Disabling IPv6 on the primary network adapter may not affect the GSA virtual interface. For advanced cases, use PowerShell to list and adjust the adapter bindings specifically for the GSA network adapter.
- DNS Settings:
- DNS over HTTPS support is limited in Global Secure Access. If you suspect name resolution or traffic routing issues, disable secure DNS in your endpoints’ browser and device settings, per your organization’s policy.
- Require Device Compliance Only
- As a secure workaround, enforce access using a device compliance policy in Conditional Access, rather than using location. This ensures only managed, compliant devices can access resources, even if their IP address is private/unmappable by location.
- In the Entra admin center, go to Identity > Conditional Access > Named locations.
Please refer to: https://v4.hkg1.meaqua.org/en-us/entra/global-secure-access/resource-faq
https://v4.hkg1.meaqua.org/en-us/entra/global-secure-access/how-to-compliant-network
https://v4.hkg1.meaqua.org/en-us/entra/identity/conditional-access/policy-block-by-location
https://v4.hkg1.meaqua.org/en-us/entra/identity/conditional-access/concept-assignment-network
Please "Accept as Answer" if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.