Can't add new "application segment" to Global Secure Access Enterprise Application

Question

Can't add new "application segment" to Global Secure Access Enterprise Application

Trey Contello 20

I recently created a new Enterprise Application for an internal website. Normal process, done it lots of times before. However, the new enterprise application never showed up under Global Secure Access \ Applications \ Enterprise Applications. However, the private access rule did show up on clients.

I found the app located in Entra (Identity) under "Enterprise Apps". However, when I click on this Enterprise App, there was no "Network access properties" link for me to edit/make changes like I would normally see.

I decided to clean it up and deleted the Enterprise App. It deleted. I purged it under "App Registrations", "Deleted applications". Assumed it was gone along with the private access rules.

However, that is not the case. I can no longer find it anywhere, but the Private Access rule is still deploying to clients. When I try to create a new application segment, it errors with "Application segment host and port already exists on application." Then it lists the conflicting application ID. This application ID DOES NOT EXIST.

I'm at a loss as to how to proceed. There should be no conflict, but somehow some remnant of the deleted enterprise app is hanging around somewhere and needs to be removed.

Trey Contello 20 Reputation points

2026-04-01T13:40:01.7933333+00:00

Hi Shubham, thank you for the comprehensive answer. The garbage-collection process must have run, because the issue is resolved this morning. Reviewing your comments, it seems that the situation I found myself in was caused by the GSA backend failing mid-provisioning while I was creating the new application.

That caused the enterprise application to appear in Entra but not in Global Secure Access.

Once in that situation, what is the correct procedure to rectify the situation? You referenced the beta powershell module. Is there a specific command that I could use to delete the mis-provisioned application properly?

In the future, I would like to be able to deal with this kind of issue more quickly. In this case, it took several days, and we were helpless while waiting for the garbage-collection process to resolve the issue.
Shubham Sharma 12,525 Reputation points Microsoft External Staff Moderator

2026-04-03T13:00:38.3533333+00:00
Trey Contello

Thank you for your response.

I am glad that the issue has been resolved now.

Correct remediation when GSA provisioning fails mid‑creation

Key principle

Global Secure Access application segments must be deleted from the GSA backend, not from Entra Enterprise Applications or App Registrations.

Microsoft explicitly exposes this through the Entra PowerShell (Beta) module for Private Access management.

https://microsoft.github.io/GlobalSecureAccess/Entra%20Private%20Access/powershell/

Below are the Prerequisites

1. Install the Entra PowerShell (Beta) module

Install-Module Microsoft.Graph.Entra -Repository PSGallery `

-Scope CurrentUser -AllowPrerelease -Force

2. Connect with the required scopes

These scopes are mandatory for GSA + Private Access cleanup.

Connect-Entra -Scopes `

"NetworkAccessPolicy.ReadWrite.All",

"NetworkAccess.ReadWrite.All",

"Application.ReadWrite.All"

Step‑by‑step cleanup procedure

Step 1: Identify the orphaned application in Entra

If you still know the ApplicationId from the error message:

$application = Get-EntraBetaApplication -ObjectId "<ApplicationId>"

If you don’t know the ID, but know the display name:

$application = Get-EntraBetaApplication `

-Filter "displayName eq 'Your GSA App Name'"

Even if the app does not appear in the GSA portal, it can still exist in the GSA backend and will be discoverable via PowerShell.

Step 2: Enumerate all Private Access application segments

Get-EntraBetaPrivateAccessApplicationSegment `

-ApplicationId $application.Id

This command queries the GSA service plane, not Entra UI. This is how you find hidden / orphaned segments

For your reference : Get-EntraBetaPrivateAccessApplicationSegment (Microsoft.Entra.Beta.NetworkAccess) | Microsoft Lea

Step 3: Delete the orphaned segment

Once you identify the segment that matches the conflicting FQDN/IP + port:

Remove-EntraBetaPrivateAccessApplicationSegment `

-ApplicationId $application.Id `

-ApplicationSegmentId "<SegmentId>"

This immediately removes the conflict and stops the Private Access rule from deploying.

If the Entra application itself is broken

If the app exists in Entra but never fully registered with GSA:

Delete all Private Access segments first (using the steps above)

Then delete the Enterprise Application from Entra

Re‑create the application only from Global Secure Access → Applications → Enterprise applications

This guarantees the Network access properties blade is created correctly.

Answer accepted by question author

1 additional answer

Your answer

Trey Contello 20 Reputation points

2026-04-01T13:40:01.7933333+00:00

Hi Shubham, thank you for the comprehensive answer. The garbage-collection process must have run, because the issue is resolved this morning. Reviewing your comments, it seems that the situation I found myself in was caused by the GSA backend failing mid-provisioning while I was creating the new application.

That caused the enterprise application to appear in Entra but not in Global Secure Access.

Once in that situation, what is the correct procedure to rectify the situation? You referenced the beta powershell module. Is there a specific command that I could use to delete the mis-provisioned application properly?

In the future, I would like to be able to deal with this kind of issue more quickly. In this case, it took several days, and we were helpless while waiting for the garbage-collection process to resolve the issue.

Answer 1

Trey Contello

Thank you for reaching out to Microsoft Q&A.

Global Secure Access (GSA) Enterprise Applications and their application segments are NOT fully governed by Entra ID Enterprise App deletion.

Key points confirmed by Microsoft:

Application segments are enforced inside the Global Secure Access service, not only in Entra ID.
Deleting or purging:
- Entra Enterprise Application
- App Registration
- Deleted applications does NOT immediately remove Global Secure Access application segments.
GSA enforces strict non-overlap:
- Same FQDN/IP + port + protocol cannot exist in more than one application segment.
If a segment still exists in GSA (even orphaned), you get

Application segment host and port already exists on application

Why “Network access properties” was missing

If an Enterprise App is created or partially created outside the GSA workflow, or the GSA backend fails mid-provisioning, the app can appear in:

Entra → Enterprise Applications

but not in:

Global Secure Access → Applications → Enterprise applications

Such apps do not expose “Network access properties**”**, because that blade only appears for GSA-managed Enterprise Apps, not standard Entra Enterprise Apps.

Below are the resolution:-

Option 1: Remove the orphaned segment using Entra PowerShell

Microsoft provides Entra PowerShell (Beta) cmdlets specifically for managing Private Access application segments, including orphaned ones.

What this allows you to do:

Enumerate all Private Access application segments
Identify the segment using the conflicting ApplicationId
Delete it directly from the GSA backend

For your reference: https://microsoft.github.io/GlobalSecureAccess/Entra%20Private%20Access/powershell/

Option 2: Natural backend cleanup

GSA policies and segments are eventually garbage-collected, even when the Enterprise App no longer exists.

Option 3: Verify via Global Secure Access only

Enterprise apps and their segments must be managed ONLY from:

Global Secure Access → Applications → Enterprise applications

Deleting apps from:

Entra → Enterprise Applications
App registrations does not guarantee GSA cleanup.

For your reference: https://dori-uw-1.kuma-moon.com/en-us/entra/global-secure-access/how-to-configure-per-app-access

Shubham Sharma 12,525 Reputation points Microsoft External Staff Moderator

2026-04-09T09:29:21.74+00:00

Trey Contello

If the resolution was helpful, please take a moment to accept the answer and upvote it 👍.

Thank you for contacting Microsoft Q&A!

Answer 2

The behavior indicates that an Enterprise application object with that application segment still exists in Global Secure Access, even if the corresponding Entra ID app was deleted or purged. The Global Secure Access service enforces these rules based on its own Enterprise application configuration, not only on the Entra ID app registration list.

From the documented behavior:

Application segments are defined on Global Secure Access Enterprise applications and must not overlap: if two or more application segments include the same destination, port, and protocol, they are considered overlapping and are blocked from being created.
The service enforces that no overlapping FQDNs, IPs, or IP ranges exist within or between any Private Access apps (except for the special Quick Access overlap case). If a segment already exists on any Enterprise app, attempts to create the same destination/port/protocol on another app fail with the conflict error.
Enterprise apps and their segments are managed only under Global Secure Access > Applications > Enterprise applications. Deleting or purging an app registration under App registrations or Identity > Enterprise applications does not remove Global Secure Access application segments by itself.

To clear the conflict and regain the ability to create the segment:

In the Microsoft Entra admin center, go to Global Secure Access > Applications > Enterprise applications and carefully review all listed Global Secure Access Enterprise apps.
For each app, open Network access properties and review the configured application segments. Look for any segment that matches the exact destination, port, and protocol that is causing the conflict.
When the conflicting segment is found, either:
- Remove that application segment from the existing Enterprise app, or
- Change its destination/port/protocol so it no longer overlaps.
Allow up to ~15 minutes for configuration changes to synchronize to Global Secure Access clients.
After the conflict segment is removed or changed, create the new Enterprise application or add the new application segment again with the desired destination/port/protocol.

If the conflicting application ID shown in the error truly does not appear under Global Secure Access > Applications > Enterprise applications, and no Enterprise app in that blade contains the overlapping segment, then the configuration is out of sync and requires support intervention. In that case, open a support ticket for Global Secure Access so the backend Enterprise application and its segments can be removed from the service.

As a preventive measure once the environment is clean:

Always create and manage per-app access only through Global Secure Access > Applications > Enterprise applications, including deletions of apps and segments.
Avoid overlapping segments between Enterprise apps; if Quick Access is in use, follow the documented best practice to remove Enterprise-app destinations from Quick Access and split IP ranges so that overlaps are avoided.

References:

How to configure per-app access using Global Secure Access applications

Share via

Can't add new "application segment" to Global Secure Access Enterprise Application

1 additional answer

Your answer