Merge pull request #11787 from HULKsmashGithub/stale-article-refresh-march-2026

Refresh stale Global Secure Access articles (March 2026)

Author: v-dirichards

docs/global-secure-access/concept-transport-layer-security.md

@@ -4,7 +4,8 @@ description: "This article provides an overview of the Transport Layer Security
 author: HULKsmashGithub
 ms.author: jayrusso
 ms.topic: concept-article
-ms.date: 05/28/2025
+ms.date: 03/23/2026
+ms.reviewer: teresayao
 
 #customer intent: As a Global Secure Access administrator, I want to learn about the Transport Layer Security (TLS) protocol to support the creation of TLS inspection policies.   
 
@@ -37,7 +38,7 @@ Traffic logs include four TLS-related metadata fields that help you understand h
 To get started with TLS inspection, see [Configure Transport Layer Security Policies](how-to-transport-layer-security.md).
 
 ## Supported ciphers
-| List of supported ciphers |
+|List of supported ciphers  |
 |-------------------|
 |ECDHE-ECDSA-AES128-GCM-SHA256|
 |ECDHE-ECDSA-CHACHA20-POLY1305| 

docs/global-secure-access/how-to-ai-prompt-injection-protection.md

@@ -2,7 +2,7 @@
 title: Protect enterprise generative AI apps with prompt injection protection (preview)
 description: "Protect your enterprise generative AI apps from prompt injection attacks with Microsoft's AI Gateway prompt injection protection."
 ms.topic: how-to
-ms.date: 03/18/2026
+ms.date: 03/24/2026
 ms.author: jayrusso
 author: HULKsmashGithub
 ms.reviewer: KaTabish
@@ -113,7 +113,7 @@ You can protect any custom JSON-based LLM or GenAI app by configuring a custom t
 ## Known limitations
 
 - Prompt Injection Protection currently supports only text prompts. It doesn't support files.
-- Prompt Injection Protection supports only JSON-based generative AI apps. It doesn't support apps that use URL-based encoding, like Gemini.
+- Prompt Injection Protection supports only JSON-based generative AI apps.
 - Prompt Injection Protection supports prompts up to 10,000 characters. Anything longer is truncated.
 
 ## Related content

docs/global-secure-access/how-to-create-remote-network-custom-ike-policy.md

@@ -4,7 +4,7 @@ description: Learn how to set up the bidirectional communication tunnel between
 ms.author: jayrusso
 author: HULKsmashGithub
 ms.topic: how-to
-ms.date: 02/25/2025
+ms.date: 03/23/2026
 ms.reviewer: absinh
 ms.custom: sfi-image-nochange
 # Customer intent: As an IT admin, I need to be able to create a custom Internet Key Exchange (IKE) policy to set up the communication tunnel with Global Secure Access.
@@ -29,7 +29,7 @@ If you prefer to add custom IKE policy details to your remote network, you can d
 
 To create a remote network with a custom IKE policy in the Microsoft Entra admin center:
 
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/entra/identity/role-based-access-control/permissions-reference#global-secure-access-administrator).
 
 1. Browse to **Global Secure Access** > **Connect** > **Remote networks**.
 
@@ -63,7 +63,7 @@ There are several details to enter on the General tab. Pay close attention to th
         - This address is entered as the *peer* BGP​​ IP address on your CPE.
         - Refer to the [valid BGP addresses](reference-remote-network-configurations.md#valid-bgp-addresses) list for reserved values that can't be used.
 
-1. Select the **Next**.
+1. Select **Next**.
 
 ### Add a link - Details tab
 
@@ -97,13 +97,16 @@ There are several details to enter on the General tab. Pay close attention to th
 
 Remote networks with a custom IKE policy can be created using Microsoft Graph on the `/beta` endpoint.
 
+> [!IMPORTANT]
+> APIs under the `/beta` version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. For details, see [Microsoft Graph versioning and support](/graph/versioning-and-support).
+
 1. Sign in to [Graph Explorer](https://aka.ms/ge).
 1. Select **POST** as the HTTP method from the dropdown.
 1. Set the API version to **beta**.
 1. Add the following query, then select **Run query**.
 
 ```http
-    POST https://graph.microsoft.com/beta/networkAccess/connectivity/remoteNetworks/dc6a7efd-6b2b-4c6a-84e7-5dcf97e62e04/deviceLinks
+    POST https://graph.microsoft.com/beta/networkAccess/connectivity/remoteNetworks/{remoteNetworkId}/deviceLinks
 Content-Type: application/json
 
 {

docs/global-secure-access/how-to-create-remote-network-vwan.md

@@ -2,7 +2,7 @@
 title: Simulate remote network connectivity using Azure vWAN
 description: Use Global Secure Access to configure Azure and Microsoft Entra resources to create a virtual wide area network to connect to your resources in Azure.
 ms.topic: how-to
-ms.date: 02/25/2025
+ms.date: 03/23/2026
 ms.author: jayrusso
 author: HULKsmashGithub
 ms.reviewer: absinh
@@ -19,7 +19,7 @@ To complete the steps in this process, you must have the following prerequisites
 - An Azure subscription and permission to create resources in the [Azure portal](https://portal.azure.com).
 - A basic understanding of virtual wide area networks (vWAN).
 - A basic understanding of [site-to-site VPN connections](/azure/vpn-gateway/tutorial-site-to-site-portal).
-- A Microsoft Entra tenant with the [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator) role assigned.
+- A Microsoft Entra tenant with the [Global Secure Access Administrator](/entra/identity/role-based-access-control/permissions-reference#global-secure-access-administrator) role assigned.
 - A basic understanding of Azure virtual desktops or Azure virtual machines.
 
 This document uses the following example values, along with the values in the images and steps. Feel free to configure these settings according to your own requirements.

docs/global-secure-access/how-to-manage-remote-network-device-links.md

@@ -4,7 +4,7 @@ description: Learn how to add and delete customer premises equipment device link
 ms.author: jayrusso
 author: HULKsmashGithub
 ms.topic: how-to
-ms.date: 02/25/2025
+ms.date: 03/23/2026
 ms.reviewer: absinh
 ms.custom: sfi-image-nochange
 # Customer intent: As an IT admin, I need to manage the router devices that connect to the Global Secure Access service so my customers can connect to the service.
@@ -83,6 +83,9 @@ The **Details** tab is where you establish the bidirectional communication chann
 
 Remote networks with a custom IKE policy can be created using Microsoft Graph on the `/beta` endpoint.
 
+> [!IMPORTANT]
+> APIs under the `/beta` version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. For details, see [Microsoft Graph versioning and support](/graph/versioning-and-support).
+
 1. Sign in to [Graph Explorer](https://aka.ms/ge).
 1. Select `POST` as the HTTP method from the dropdown.
 1. Set the API version to beta.
@@ -117,7 +120,7 @@ Sample response:
     },
     "tunnelConfiguration": {
         "@odata.type": "#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Default",
-        "preSharedKey": "test123"
+        "preSharedKey": "<your-preshared-key>"
     }
 }
 ```
@@ -130,7 +133,7 @@ You can delete device links through the Microsoft Entra admin center and using t
 
 ### [Microsoft Entra admin center](#tab/microsoft-entra-admin-center)
 
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/entra/identity/role-based-access-control/permissions-reference#global-secure-access-administrator).
 
 1. Browse to **Global Secure Access** > **Connect** > **Remote networks**. Device links appear in the **Links** column on the list of remote networks.
 

docs/global-secure-access/reference-china-user-support.md

@@ -1,10 +1,11 @@
 ---
-title: Global Secure Access Support in China (Preview)
+title: Global Secure Access support in China
 description: Learn about how Microsoft is dedicated to supporting Global Secure Access capabilities in China.
 ms.author: jayrusso
 author: HULKsmashGithub
 ms.topic: reference
-ms.date: 05/20/2025
+ms.service: global-secure-access
+ms.date: 03/09/2026
 ms.reviewer: sumeetmittal
 
 # Customer intent: As an IT admin, I want to evaluate the regulatory constraints of using Global Secure Access in China so that I can ensure compliance and plan connectivity strategies effectively.   

docs/global-secure-access/reference-ciphers.md

@@ -4,7 +4,8 @@ description: Learn about the supported cryptographic algorithms, or ciphers, use
 ms.author: jayrusso
 author: HULKsmashGithub
 ms.topic: reference
-ms.date: 02/18/2025
+ms.service: global-secure-access
+ms.date: 03/09/2026
 ms.reviewer: sumeetmittal
 
 

docs/global-secure-access/reference-global-secure-access-certifications.md

@@ -4,7 +4,8 @@ description: Global Secure Access maintains a compliance portfolio. This article
 ms.author: jayrusso
 author: HULKsmashGithub
 ms.topic: reference
-ms.date: 05/29/2025
+ms.service: global-secure-access
+ms.date: 03/24/2026
 ms.reviewer: abhijeetsinha
 
 #customer intent: As an IT admin, I want to know which certifications Global Secure Access supports so that I can ensure compliance with industry standards.
@@ -28,8 +29,8 @@ Global Secure Access is included in several Azure compliance audits. The support
 | GxP (FDA 21 CFR Part 11) | Azure can help customers meet their requirements under Good Clinical, Laboratory, and Manufacturing Practices (GxP), as well as regulations enforced by the US Food and Drug Administration (FDA) under 21 CFR Part 11. For more information, see [GxP (FDA 21 CFR Part 11)](/azure/compliance/offerings/offering-gxp). | ISO 27001:2013 |
 | HDS (France) | Microsoft Azure has the Health Data Hosting (Hébergeurs de Données de Santé, HDS) certification, which is required for all entities that host personal health data governed by French law. Microsoft is the first major cloud service provider to meet the strict French standards for storing and processing health data. For more information, see [Health Data Hosting (HDS) France](/compliance/regulatory/offering-hds-france). | ISO 27001:2013 |
 | HIPAA BAA (US) | The Health Insurance Portability and Accountability Act (HIPAA) is a US law that establishes requirements for the use, disclosure, and safeguarding of protected health information (PHI). It applies to covered entities—doctors' offices, hospitals, health insurers, and other healthcare companies—with access to PHI, and to business associates, such as cloud service providers, that process PHI on their behalf. For more information, see [HIPAA (US)](/azure/compliance/offerings/offering-hipaa-us). | NA |
-| ISO 20000-1:2011 | ISO 20000-1:2011 is an international standard for IT service management that defines requirements for the development, implementation, monitoring, maintenance, and improvement of an IT service management system. For more information, see [ISO/IEC 20000-1:2018](/azure/compliance/offerings/offering-iso-20000-1). | ISO 27001:2013 |
-| ISO 22301:2012 | ISO 22301:2012 is the premium international standard for business continuity management that provides for a formal certification. For more information, see [ISO 22301:2019](/azure/compliance/offerings/offering-iso-22301). | ISO 27001:2013 |
+| ISO 20000-1:2018 | ISO 20000-1:2018 is an international standard for IT service management that defines requirements for the development, implementation, monitoring, maintenance, and improvement of an IT service management system. For more information, see [ISO/IEC 20000-1:2018](/azure/compliance/offerings/offering-iso-20000-1). | ISO 27001:2013 |
+| ISO 22301:2019 | ISO 22301:2019 is the premium international standard for business continuity management that provides for a formal certification. For more information, see [ISO 22301:2019](/azure/compliance/offerings/offering-iso-22301). | ISO 27001:2013 |
 | ISO 27001:2013 | The ISO 27000 family of standards gives a framework for policies and procedures that include all legal, physical, and technical controls in Microsoft Azure Compliance Offerings for an organization's information risk management. ISO 27001 lists the requirements for implementing, maintaining, monitoring, and improving an information security management system (ISMS). For more information, see [ISO 27001:2013](/azure/compliance/offerings/offering-iso-27001). | NA |
 | ISO 27017:2015 | The ISO 27017 code of practice is designed for organizations to use as a reference for selecting cloud services information security controls when implementing a cloud computing information security management system based on ISO 27002. Cloud service providers can also use ISO 27017 as a guidance document for implementing commonly accepted protection controls. For more information, see [ISO/IEC 27017:2015](/azure/compliance/offerings/offering-iso-27017). | ISO 27001:2013 |
 | ISO 27018:2019 | ISO 27018 is the first international code of practice for cloud privacy that provides guidelines based on ISO 27002 guidelines and best practices for information security management. Based on EU data-protection laws, it gives specific guidance to cloud service providers acting as processors of personally identifiable information (PII) on assessing risks and implementing state-of-the-art controls for protecting PII. ISO 27018 establishes cloud-specific control objectives and guidelines for PII in accordance with the privacy principles in ISO 29100. For more information, see [ISO/IEC 27018:2019](/azure/compliance/offerings/offering-iso-27018). | ISO 27001:2013 |
@@ -45,7 +46,7 @@ Global Secure Access is included in several Azure compliance audits. The support
 | SOC 3 | A SOC 3 report is a short, public version of the SOC 2 Type 2 attestation report. The SOC 3 report is for users who want assurance about the cloud service provider's controls but don't need a full SOC 2 report. For more information, see [System and Organization Controls (SOC) 3](/azure/compliance/offerings/offering-soc-3). | NA |
 | UK Cyber Essentials Plus | Cyber Essentials is a UK government-backed scheme that helps organizations check and reduce risks from common cybersecurity threats to their IT systems. Cyber Essentials is required for all UK government suppliers that handle personal data. For more information, see [UK Cyber Essentials Plus](/azure/compliance/offerings/offering-uk-cyber-essentials-plus). | ISO 27001:2013 |
 | UK G-Cloud | Government Cloud (G-Cloud) is a UK government initiative to ease procurement of cloud services by government departments and promote government-wide adoption of cloud computing. G-Cloud comprises a series of framework agreements with cloud services suppliers (such as Microsoft), and a listing of their services in an online store—the Digital Marketplace. This approach enables public-sector organizations to compare and procure cloud services without having to do their own full review process. For more information, see [UK G-Cloud](/azure/compliance/offerings/offering-uk-g-cloud). | ISO 27001:2013 |
-| WCAG 2.0 | The Web Content Accessibility Guidelines 2.0 (WCAG 2.0) provide a framework for developing web content that improves accessibility for people with disabilities, and users of devices with limited graphical abilities. For more information, see [Web Content Accessibility Guidelines](/compliance/regulatory/offering-wcag-2-1). | ISO 27001:2013 |
+| WCAG | The Web Content Accessibility Guidelines (WCAG) provide a framework for developing web content that improves accessibility for people with disabilities, and users of devices with limited graphical abilities. For more information, see [Web Content Accessibility Guidelines](/compliance/regulatory/offering-wcag-2-1). | ISO 27001:2013 |
 
 ## Related content
 [Service Trust Portal](https://servicetrust.microsoft.com/)

docs/global-secure-access/troubleshoot-global-secure-access-client-disabled.md

@@ -2,7 +2,7 @@
 title: "Troubleshoot the Global Secure Access Client: Disabled by Your Organization"
 description: This document provides troubleshooting guidance for the Global Secure Access client when it shows the "disabled by your organization" error message.
 ms.topic: troubleshooting
-ms.date: 03/10/2025
+ms.date: 03/23/2026
 ms.author: jayrusso
 author: HULKsmashGithub
 ms.reviewer: lirazbarak
@@ -22,15 +22,15 @@ The **Global Secure Access client - disabled by your organization** error messag
 
 The warning message also appears when the client receives an empty policy (that is, no traffic forwarding profiles from Microsoft, Private Access, or Internet Access).
 The empty policy happens in the following cases:     
-- All traffic forwarding profiles are disabled in the portal. 
-- Some traffic forwarding profiles are enabled, but the user isn't assigned to any of them (in the **User and group assignments** section of each profile). 
-- The user didn't sign in to Windows with a Microsoft Entra user. 
-- Authentication to get the policy requires user interaction (such as if multifactor authentication (MFA) or terms of use (ToU) are enabled).    
+1. All traffic forwarding profiles are disabled in the portal. 
+1. Some traffic forwarding profiles are enabled, but the user isn't assigned to any of them (in the **User and group assignments** section of each profile). 
+1. The user didn't sign in to Windows with a Microsoft Entra user. 
+1. Authentication to get the policy requires user interaction (such as if multifactor authentication (MFA) or terms of use (ToU) are enabled).    
 
 In cases **3** and **4**, only traffic profiles that are assigned to the entire tenant (**Assign to all users** in the user and group assignment section is set to **Yes**) take effect. Traffic profiles assigned to specific users and groups aren't applied since the user identity isn't used to get the policy. In these cases, only the device identity is available to the policy service.   
 
 To view the Global Secure Access traffic profile configuration:
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/entra/identity/role-based-access-control/permissions-reference#global-secure-access-administrator).
 1. Navigate to **Global Secure Access** > **Connect** > **Traffic forwarding**.   
 :::image type="content" source="media/troubleshoot-global-secure-access-client-disabled/traffic-forwarding.png" alt-text="Screenshot of the Traffic forwarding profiles screen." lightbox="media/troubleshoot-global-secure-access-client-disabled/traffic-forwarding-expanded.png":::
 

docs/global-secure-access/troubleshoot-global-secure-access-mobile-client-advanced-diagnostics.md

@@ -2,7 +2,8 @@
 title: "Troubleshoot the Global Secure Access Mobile Client: Advanced Diagnostics"
 description: Discover how to use advanced diagnostics to resolve issues with the Global Secure Access mobile client for Android and iOS.
 ms.topic: troubleshooting
-ms.date: 04/29/2025
+ms.service: global-secure-access
+ms.date: 03/09/2026
 ms.author: jayrusso
 author: HULKsmashGithub
 ms.reviewer: cagautham