Browse all topics
All guidesGlossary
Microsoft Entra (Identity)

Microsoft Entra Global Secure Access

Microsoft's SSE platform — Internet Access and Private Access for zero-trust network access. Here's what it does.

Microsoft Entra Global Secure Access is Microsoft's Security Service Edge (SSE) platform — an identity-aware network security tier that replaces legacy VPN, network firewalls, and standalone CASB / SWG for many scenarios. It has two main components: Entra Internet Access for protecting outbound internet traffic, and Entra Private Access for replacing VPN with zero-trust access to private apps.

Entra Internet Access

Entra Internet Access is Microsoft's Secure Web Gateway (SWG) offering. Traffic from a user's endpoint is steered through Microsoft's global edge — via the Global Secure Access client on Windows / macOS / iOS / Android, or via tunnel connectors on the network. Once there, Microsoft applies:

  • Web filtering by category (gambling, adult, malware, social media, etc.) and custom rules.
  • TLS inspection for content visibility (with appropriate certificate trust).
  • CASB-style controls for sanctioned and unsanctioned SaaS.
  • Identity-aware policies — different rules per user, per group, per Conditional Access risk level.
  • Microsoft 365 traffic optimisation — Microsoft 365 endpoints get fast paths to Microsoft's network without going through general inspection.

The pitch: replace a traditional on-prem proxy (Zscaler, Netskope, Palo Alto Prisma) for Microsoft 365 customers.

Entra Private Access

Entra Private Access publishes on-premises private applications to remote users through Entra ID with Conditional Access, without requiring a VPN. Connectors deployed in your network (similar to Entra Application Proxy) reverse-tunnel out to Microsoft's edge; users connect through the Global Secure Access client and reach the apps as if on the corporate network.

Use cases:

  • Replace legacy VPN for remote-access to internal apps.
  • Make on-prem apps available to BYOD and contractor scenarios with full Conditional Access.
  • Protect lift-and-shifted IaaS apps hosted in Azure with the same identity-aware model.

Compared to old-school site-to-site VPN, Private Access is more granular (per-app, not network-wide), identity-aware, and audited.

Conditional Access integration

Both Internet Access and Private Access feed signals into and consume policies from Entra Conditional Access. Network conditions become a CA grant control:

  • Require traffic to go through Global Secure Access before Microsoft 365 will accept the session.
  • Block direct access to internal apps that bypass the Private Access tunnel.
  • Apply different policies based on whether a user is connected via the Global Secure Access client.

What it replaces

  • Traditional VPN concentrators.
  • Standalone Secure Web Gateways (Zscaler ZIA, Netskope, Cloudflare WARP-for-business at enterprise scale).
  • Some CASB capabilities (though Defender for Cloud Apps still has broader CASB coverage).
  • On-prem Application Proxy for many scenarios.

What it doesn't replace

  • Network firewalls for inbound traffic to on-prem services exposed to the internet.
  • SD-WAN for branch-to-branch connectivity.
  • Defender for Endpoint for endpoint-side protection.

Licensing

Global Secure Access is licensed per user — separate SKUs for Internet Access and Private Access, often bundled.

For Microsoft 365 customers heavily invested in Entra ID, Global Secure Access is increasingly part of the zero-trust toolkit. It's still maturing, but the direction is clear.