Overview
SCU Cost Estimate This agent typically consumes 0.3 – 1.2 SCUs per analysis run, depending on the number of connectors, network access policies, and traffic logs analyzed. Larger environments with extensive connector groups or long lookback periods may consume more SCUs.
Introduction
The GSA Reporting & Assignment Agent provides security teams with actionable visibility into their Entra Private Access (Global Secure Access) environment. It generates tabular, governance-focused reports on connector groups, IP ranges, user-to-target assignments, and access patterns. Beyond static reporting, the agent evaluates connector health, discovers stale resources, analyzes traffic trends, and produces intelligent suggestions for improving application and resource assignments.
The agent is purpose-built to simplify operational oversight by automatically analyzing connector status, network usage, and user access relationships across your environment.
What It Does
The agent orchestrates a full reporting workflow for Entra Private Access, including:
Aggregates connector group status, redundancy, and last-activity context
Provides IP range and network port coverage insights
Maps users, policies, and destinations to reveal user-to-target assignments
Looks up applications based on IP range or port filters
Analyzes connections, success vs failure ratios, and trend deltas
Surfaces stale IP ranges and unused assignments
Interprets expected destination requirements (ports, protocols, anomalies)
Generates intelligent assignment suggestions when filtering by UserID, IPRange, or Port
Supports natural-language guidance through
UserPromptto customize the investigation
Use Cases
1. Connector Group Visibility
Understand connector group status, redundancy levels, traffic recency, and potential degradation using agent-derived health scoring.
2. IP Range & Port Coverage Analysis
Evaluate which ports and IP ranges are actually used, where failures occur, and which segments may be stale.
3. User-to-Target Assignment Mapping
Identify which policies, applications, or destinations a user can reach, along with success ratios and last-activity timestamps.
4. Application Discovery by IP or Port
Input an IP range or port to discover matching applications and verify whether associated resources are properly assigned.
5. Intelligent Assignment Suggestions
Receive recommendations for which assignments or applications a user or segment likely requires, based on observed logs and policy data.
6. Natural-Language Guided Analysis
Provide a question using UserPrompt (e.g., “Which applications exist and which destinations are used?”) and the agent tailors the investigation accordingly.
Why GSA Reporting & Assignment Agent?
Challenges It Solves
Lack of unified visibility across connector groups, IP ranges, and access policies
Difficulty determining how users map to destinations and why access fails
Uncertainty around which ports and IP ranges are active, stale, or unused
Time-consuming manual reviews of Entra traffic logs
No built-in ability to cross-correlate user access, IP ranges, traffic patterns, and configuration expectations
Limited guidance on improving assignments based on real traffic and historical behavior
Benefits You Get
Tabular connector group reporting with redundancy, status, and activity details
IP range and port coverage reporting with volume, failure ratio, and stale detection
User and assignment insights showing where access is used, unused, or misaligned
Automated lookup of applications by IP or port
Intelligent suggestions for user or policy assignment improvements
Natural-language driven analytical extensions
Fully correlated outputs across connectors, traffic logs, user directory data, and destination metadata
How It Works
What Goes In
Connector group and policy mappings from Entra Private Access
Traffic logs including failures, successes, latency, and protocol metadata
IP ranges and ports used within the environment
User details such as department, role, and licensing
Analyzer insights about destination requirements
Microsoft Graph Network Access connection logs (24h, 7d, and baseline lookback)
What It Does
Retrieves connector groups, destinations, and policy mappings
Collects traffic logs over a minimum 30-day baseline and short-term windows
Enriches user data to support least-privilege and assignment insights
Identifies stale ranges, orphaned assignments, and unused segments
Analyzes destination requirements to detect port or configuration mismatches
Executes NL2API queries against Network Access Graph endpoints
Applies UserID, IPRange, and Port filters when provided
Produces health scores, success ratios, and IP/port coverage metrics
Generates prioritized assignment suggestions based on observed behavior
What You Get
Connector Health Table Status, redundancy, last activity, and computed health score
IP Range & Port Coverage Report Traffic volume, port observations, stale detection, and error rates
User & Assignment Insights User-to-target mapping, success ratios, last activity timestamps, and hygiene findings
Intelligent Assignment Suggestions Guidance for missing or unused assignments derived from traffic and policy data
Executive Summary KPIs, risk highlights, coverage metrics, and overall posture insights
Appendix Filters, raw counts, time windows, and sourcing caveats
Last updated
Was this helpful?