What is Microsoft Global Secure Access?

Seemless access to cloud and private network resources with granular control and enhanced security.

Published: Jan 06, 2025

remote workforce hero

SHARE ARTICLE

Microsoft Global Secure Access (GSA) offers an integrated, identity-driven approach to securing remote access to applications, file shares and resources, regardless of location, device, or user identity.

I didn’t expect we’d see the beginning of the end of traditional VPNs for at least a decade. The ever-present need for on-premises applications, file shares, and resources to be accessible to an increasingly mobile workforce will not begin to disappear any time soon. Many apps, file shares and resources simply must stay in traditional data centers, or in fully secured private portions of the public cloud (Azure Files in a private virtual network (vnet), for example).

And yet, in 2023, we saw the public preview and (in 2024) the eventual release of Microsoft’s Global Secure Access solution.

What is Microsoft Global Secure Access?

Global Secure Access builds on Microsoft’s Application Proxy service by bringing together several features like HTTPS traffic traversal and cloud tunneling. GSA is built on the principles of Zero Trust and it features Microsoft Entra Internet Access, Microsoft Entra Internet Access for Microsoft Traffic, and Microsoft Entra Private Access to provide secure and adaptive access to Software-as-a-Service (SaaS) apps, private apps, and Microsoft services.

Traffic forwarding profiles

Global Secure Access includes 3 traffic forwarding profiles. Traffic forwarding profiles enable admins to forward specific traffic to Global Secure Access from devices running the Global Secure Access client.

1. Microsoft Entra Internet Access for Microsoft Traffic

Whilst this traffic forwarding profile is a bit of a mouthful to say, it’s the only profile that’s included in the base Microsoft Entra ID P1 (and P2) license. Given it’s included for most organizations at no extra cost, then, it makes sense to look at it in some detail.

In essence, this profile will instruct Global Secure Access clients (computers and laptops out in the field) to capture traffic destined for Microsoft 365 services and route them directly to the nearest Microsoft point of presence.

Without Entra Internet Access, Microsoft 365 traffic generally still connects to the nearest edge point of presence for best performance, but it lacks the dedicated, centralized controls for network-level security. Entra Internet Access applies identity-aware policies, Conditional Access, and continuous monitoring at the first point of contact, ensuring Zero Trust principles are enforced before granting access.

Remember 5-10 years ago, when everyone thought it was weird to let laptops ‘go direct’ to Exchange Online and Teams*, but lost the argument in favor of performance? It was weird, and it still kind of is. This traffic profile grants the organization’s security team control of which devices can access Microsoft resources without solely relying on Intune device compliance.

*Yes, Teams didn’t exist 10 years ago, but you get my point.

2. Microsoft Entra Internet Access

Microsoft Entra Internet Access is the broader counterpart of the Microsoft traffic profile. It protects and inspects all outbound internet traffic from user endpoints, covering not only Microsoft apps but also third-party SaaS services, public websites, and other web destinations.

By routing traffic through Microsoft’s global points of presence (PoPs), Entra Internet Access enforces granular security policies, leverages advanced threat intelligence, and applies Zero Trust principles at the network edge.

3. Microsoft Entra Private Access

The Microsoft Entra Private Access traffic forwarding profile represents a significant shift in how organizations enable secure connections to on-premises or private cloud resources. Unlike traditional virtual private networks (VPNs), this profile leverages identity-centric and context-aware processes to provide app-level permissions, eliminating the need to place remote devices on the entire network.

Why is this a big deal?
Because Microsoft Entra Private Access fundamentally addresses the same problem VPNs were designed to solve, but in a more secure and efficient way.

Two approaches to configuring access to private resources

You have two approaches for configuring access to private network resources, either by groups or per app:

  1. Quick Access
    • This option allows you to define a group of FQDNs and IP addresses that you want to secure.
    • It’s an easy and fast alternative to traditional VPNs, granting secure access to internal resources with just a few clicks.
    • Perfect for organizations looking to replace VPNs quickly without extensive reconfiguration.
  2. Global Secure Access Apps
    • This method enables you to specify a subset of private resources, secured per app.
    • It’s an incredibly granular approach, offering far more control and precision than traditional VPNs ever could.
    • Ideal for securing sensitive resources while adhering to zero-trust principles.

Why choose Microsoft Entra Private Access over a traditional VPN?

VPNs are complex to deploy and have some disadvantages. Here’s why you might consider a more modern solution for secure remote access:

  • Enhanced Security: App-level permissions reduce the attack surface.
  • Identity-Centric: Access is tied to users’ identities and the context of their requests.
  • Granularity: Global Secure Access apps provide unmatched resource control.
  • Ease of Use: Quick Access offers a simple, fast transition from VPNs.

Below is a graphical comparison of each approach, showcasing how these configurations offer flexibility and security depending on your needs.

Quick Access app

Notice that this approach requires only one Enterprise App, and grants access to the entire internal network across protocols such as HTTP, RDP and SMB.

Microsoft Global Secure Access - Quick Access App Example
Microsoft Global Secure Access – Quick Access App Example (Image Credit: Microsoft Learn)

Global Secure Access app

You’ll see that this example of just 2 apps is already a little more complicated – each ‘app segment’ in the on-premises network requires a corresponding Global Secure Access app. 

Private Access App Example using Microsoft Global Secure Access
Private Access App Example using Microsoft Global Secure Access – (Image Credit: Microsoft Learn)

Configure Global Secure Access Quick Access

As we started this article talking loftily about the downfall of the traditional VPN, replaced by more granular security, embracing zero trust network access (ZTNA), we’ll dedicate this next section to a short guide on how to configure the ‘Private Access profile’. We’ll include a little about the required Enterprise Application which we can use to control access to the internal network from the public internet, too.

  • Navigate to the Entra Admin Center
  • Log in to the Entra Admin Center with appropriate permissions.
  • Go to Global Secure Access in the navigation pane.
  • Enable Private Access Profile
Traffic forwarding profiles
Traffic forwarding profiles (Image Credit: Dean Ellerby/Petri.com)
  • Download the Connector Service
    • Navigate to the Connectors section.
    • In the Private Network Connectors pane, locate and download the Connector Service installer.
image 4
Private Network Connector client download (Image Credit: Dean Ellerby/Petri.com)
  • Install the Connector Service
    • Run the downloaded installer on an application server or any other server with access to the private network you wish to expose via Global Secure Access.
    • Follow the on-screen instructions to complete the installation process.
  • Verify Connector Activation
    • After installation, return to the Connectors pane in the Entra Admin Center.
    • Confirm that the connector and its associated IP address are displayed as Active. This indicates the connector is successfully installed and operational.
Private network connectors
Private network connectors (Image Credit: Dean Ellerby/Petri.com)
  • Navigate to Quick Access in Global Secure Access
    • Go to the Entra Admin Center and select Global Secure Access.
    • From the menu, click on Quick Access and then select Create Quick Access Configuration.
  • Create the Configuration
    • Add a Name for the Quick Access configuration. This should clearly describe the purpose of the segment.
    • Choose the Default Connector Group to assign this configuration to.
  • Add a Quick Access App Segment
    • Click on Add Quick Access App Segment to define the resources you want to secure.
    • Enter the following details:
      • Destination Type: Specify the type of destination (e.g., CIDR range).
      • Netmask: Define the subnet mask for the range.
      • Ports to Expose: List the ports you want to include (e.g., 445, 80, 443, 3389).
      • Protocol: Select the appropriate protocol (e.g., TCP).
Application Segment in Microsoft Secure Global Access
Application Segment (Image Credit: Dean Ellerby/Petri.com)
  • Save and Deploy the Configuration
    • Review your entries for accuracy and click Save

Install the Global Secure Access client app

All of this back-end configuration is a little useless without a way for a Windows (or macOS) device to connect to the service. Follow these steps to install and configure the Global Secure Access Client on your Windows device:

  1. Prepare Your Device
    • Ensure your Windows device is either Microsoft Entra joined or Hybrid joined.
    • Sign in to the device using a Microsoft Entra user role with local administrator privileges.
  2. Download the Client
    • Open the Microsoft Entra admin center using an identity assigned the Global Secure Access Administrator role.
    • Go to Global Secure Access > Connect > Client Download.
    • Click Download Client and run the installer.
  3. Install the Client
    • Follow the installation prompts to complete the process.
  4. Sign In to the Client
    • Locate the Global Secure Access Client icon in the Windows taskbar.
    • Initially, it will show as Disconnected. After a few seconds, you’ll be prompted to sign in.
    • Sign in using your Microsoft Entra credentials.
  5. Verify Connection
    • Double-click the Global Secure Access Client icon in the Windows taskbar.
    • Ensure the status updates to Connected.
  6. Run Advanced Diagnostics
    • Right-click the Global Secure Access Client icon in the Windows taskbar.
    • Select Advanced Diagnostics to open the Global Secure Access Client Connection Diagnostics.
    • Click Health Check and confirm all checks display a Yes status.

Deploy the Global Secure Access client app via Intune

Of course, the preferred way to get the client installed on endpoints is via Intune, or some similar Mobile Device Management (MDM) solution. The Microsoft team have put together a guide on the Github site. Take a look to learn how to deploy the client app via Intune.

The future of secure connectivity

In conclusion, Microsoft Entra Private Access and the broader Global Secure Access solution represent a significant leap forward in secure connectivity, effectively addressing the limitations of traditional VPNs.

By leveraging identity-driven Zero Trust principles, these tools offer granular control, enhanced security, and seamless access to both Microsoft and private resources. This is not just a replacement for the VPN, it is a smarter, more efficient, and future-ready upgrade.

SHARE ARTICLE