Seemless access to cloud and private network resources with granular control and enhanced security.
Published: Jan 06, 2025
Microsoft Global Secure Access (GSA) offers an integrated, identity-driven approach to securing remote access to applications, file shares and resources, regardless of location, device, or user identity.
I didn’t expect we’d see the beginning of the end of traditional VPNs for at least a decade. The ever-present need for on-premises applications, file shares, and resources to be accessible to an increasingly mobile workforce will not begin to disappear any time soon. Many apps, file shares and resources simply must stay in traditional data centers, or in fully secured private portions of the public cloud (Azure Files in a private virtual network (vnet), for example).
And yet, in 2023, we saw the public preview and (in 2024) the eventual release of Microsoft’s Global Secure Access solution.
Global Secure Access builds on Microsoft’s Application Proxy service by bringing together several features like HTTPS traffic traversal and cloud tunneling. GSA is built on the principles of Zero Trust and it features Microsoft Entra Internet Access, Microsoft Entra Internet Access for Microsoft Traffic, and Microsoft Entra Private Access to provide secure and adaptive access to Software-as-a-Service (SaaS) apps, private apps, and Microsoft services.
Global Secure Access includes 3 traffic forwarding profiles. Traffic forwarding profiles enable admins to forward specific traffic to Global Secure Access from devices running the Global Secure Access client.
Whilst this traffic forwarding profile is a bit of a mouthful to say, it’s the only profile that’s included in the base Microsoft Entra ID P1 (and P2) license. Given it’s included for most organizations at no extra cost, then, it makes sense to look at it in some detail.
In essence, this profile will instruct Global Secure Access clients (computers and laptops out in the field) to capture traffic destined for Microsoft 365 services and route them directly to the nearest Microsoft point of presence.
Without Entra Internet Access, Microsoft 365 traffic generally still connects to the nearest edge point of presence for best performance, but it lacks the dedicated, centralized controls for network-level security. Entra Internet Access applies identity-aware policies, Conditional Access, and continuous monitoring at the first point of contact, ensuring Zero Trust principles are enforced before granting access.
Remember 5-10 years ago, when everyone thought it was weird to let laptops ‘go direct’ to Exchange Online and Teams*, but lost the argument in favor of performance? It was weird, and it still kind of is. This traffic profile grants the organization’s security team control of which devices can access Microsoft resources without solely relying on Intune device compliance.
*Yes, Teams didn’t exist 10 years ago, but you get my point.
Microsoft Entra Internet Access is the broader counterpart of the Microsoft traffic profile. It protects and inspects all outbound internet traffic from user endpoints, covering not only Microsoft apps but also third-party SaaS services, public websites, and other web destinations.
By routing traffic through Microsoft’s global points of presence (PoPs), Entra Internet Access enforces granular security policies, leverages advanced threat intelligence, and applies Zero Trust principles at the network edge.
The Microsoft Entra Private Access traffic forwarding profile represents a significant shift in how organizations enable secure connections to on-premises or private cloud resources. Unlike traditional virtual private networks (VPNs), this profile leverages identity-centric and context-aware processes to provide app-level permissions, eliminating the need to place remote devices on the entire network.
Why is this a big deal?
Because Microsoft Entra Private Access fundamentally addresses the same problem VPNs were designed to solve, but in a more secure and efficient way.
You have two approaches for configuring access to private network resources, either by groups or per app:
VPNs are complex to deploy and have some disadvantages. Here’s why you might consider a more modern solution for secure remote access:
Below is a graphical comparison of each approach, showcasing how these configurations offer flexibility and security depending on your needs.
Notice that this approach requires only one Enterprise App, and grants access to the entire internal network across protocols such as HTTP, RDP and SMB.
You’ll see that this example of just 2 apps is already a little more complicated – each ‘app segment’ in the on-premises network requires a corresponding Global Secure Access app.
As we started this article talking loftily about the downfall of the traditional VPN, replaced by more granular security, embracing zero trust network access (ZTNA), we’ll dedicate this next section to a short guide on how to configure the ‘Private Access profile’. We’ll include a little about the required Enterprise Application which we can use to control access to the internal network from the public internet, too.
All of this back-end configuration is a little useless without a way for a Windows (or macOS) device to connect to the service. Follow these steps to install and configure the Global Secure Access Client on your Windows device:
Of course, the preferred way to get the client installed on endpoints is via Intune, or some similar Mobile Device Management (MDM) solution. The Microsoft team have put together a guide on the Github site. Take a look to learn how to deploy the client app via Intune.
In conclusion, Microsoft Entra Private Access and the broader Global Secure Access solution represent a significant leap forward in secure connectivity, effectively addressing the limitations of traditional VPNs.
By leveraging identity-driven Zero Trust principles, these tools offer granular control, enhanced security, and seamless access to both Microsoft and private resources. This is not just a replacement for the VPN, it is a smarter, more efficient, and future-ready upgrade.