PRACTITIONER GUIDE | ZERO TRUST
Practitioner GuideUpdated 10 min read

Entra ID Global Secure Access: How to Deploy Private Access as a Zero Trust VPN Replacement

Entra ID P1
Minimum license required -- P1 included in M365 E3; Global Secure Access requires the GSA add-on or E5
Outbound only
Private Access connectors use outbound HTTPS -- no inbound firewall ports required
Per-app
Private Access enforces Conditional Access per application -- unlike VPN which grants broad network access

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Traditional VPN is a perimeter access model -- once authenticated to VPN, the user has broad network access to any internal resource the VPN subnet can reach. This creates lateral movement risk: a compromised VPN credential provides an attacker with the same broad network access as the legitimate user. Entra Private Access applies Zero Trust principles to remote access: access is granted per application, per session, with continuous identity evaluation. A compromised credential that passes MFA gets access only to the specific applications the user is authorized for -- not the entire internal network. This guide covers the deployment steps for a Private Access pilot.

Prerequisites and License Requirements

Entra Private Access requires: Microsoft Entra ID P1 or P2 license (included in M365 E3/E5), a Microsoft Entra Suite or Global Secure Access add-on license (check current Microsoft licensing for the specific SKU), and Windows 10 21H1 or later for the Global Secure Access client (macOS is also supported; iOS and Android are in preview). The Private Access connector runs on Windows Server 2016 or later and requires .NET Framework 4.7.2 or later. The connector server needs outbound HTTPS (port 443) to Microsoft's Global Secure Access service endpoints and inbound connectivity from the internal resources it will proxy (the connector connects to internal servers to forward application traffic). Plan for at least 2 connector servers per network segment for redundancy -- one connector failure should not disrupt access. Verify licensing in the Entra admin center under Global Secure Access > Dashboard.

Deploy the Private Access Connector

In the Entra admin center, navigate to Global Secure Access > Connect > Connectors > Download connector service. Install on a Windows Server 2019 or 2022 VM in your internal network. During installation, the connector registers itself with your Entra tenant using a Tenant Admin account (you will be prompted to authenticate). After installation, verify the connector appears as Active in the Entra portal > Global Secure Access > Connect > Connectors. Create a connector group (Global Secure Access > Connect > Connector groups > New group) and assign the installed connector to it. The connector group is the deployment unit -- Private Access apps are associated with a connector group, and the connectors in that group handle traffic for those apps. Create connector groups per site or per segment: ConnectorGroup-HQ for head office resources, ConnectorGroup-DC for data center resources. Install at least 2 connectors per group for redundancy. The connector auto-updates -- verify auto-update is not disabled on the server.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Configure Quick Access vs Application-Specific Policies

Private Access offers two access models: Quick Access (a per-user subnet/FQDN allow list that replicates traditional VPN-style access) and Private Access Applications (per-application Zero Trust policies with Conditional Access). Quick Access: in Global Secure Access > Applications > Quick Access, add the IP ranges and FQDNs that Quick Access users can reach. This is the fastest migration path from VPN -- replace the VPN subnet with a Quick Access policy. All users assigned to Quick Access can reach those resources. Private Access Applications (Zero Trust model): create individual Enterprise Applications in Global Secure Access > Applications > Enterprise Applications. For each internal application (e.g., SAP ERP on 10.1.1.50:443, internal HR portal on hr.internal), create an app with the specific IP/FQDN and port. Apply Conditional Access policies to each app individually. This is the Zero Trust target state: each application has its own identity-based access policy. Start with Quick Access for the initial migration (to prove the technology works and get users off VPN), then progressively move applications to individual app policies with stricter Conditional Access.

Deploy the Global Secure Access Client

The Global Secure Access client routes traffic from end-user devices through the Private Access service. Deploy via Intune: in the Intune admin center, add the Global Secure Access client as a Win32 app using the installer downloaded from the Entra portal. Set the installer command with the tenant ID parameter: GlobalSecureAccessClient.exe /install /tenantId <tenantGUID>. After deployment, the client appears in the Windows system tray. It authenticates to Entra ID using the logged-in user's identity (SSO via the primary refresh token on joined devices -- no additional login required). Verify client connectivity: in the system tray, the client icon shows a green check when connected and a red/orange indicator when not. The Entra portal's Global Secure Access > Dashboard shows connected devices, active users, and traffic statistics. For troubleshooting: the client event log is at Applications and Services > Microsoft > Windows > GlobalSecureAccess > Operational in Event Viewer.

Integrate Conditional Access for Zero Trust Enforcement

The power of Private Access over VPN is Conditional Access integration. Each Private Access application (or Quick Access) can have Conditional Access policies that enforce MFA, device compliance, sign-in risk, and location restrictions per access attempt. Configure via Entra > Protection > Conditional Access > New Policy. Scope to the specific Private Access Enterprise Application. Example policies: require compliant device for access to the financial systems Private Access app; block access from any country outside the organization's operating countries; require phishing-resistant MFA (FIDO2 or WHfB) for access to the server infrastructure Private Access app. Continuous Access Evaluation (CAE) ensures that if an account is disabled or a sign-in risk event fires, the active Private Access session is terminated within seconds -- unlike VPN, which maintains sessions until reconnect regardless of risk state. Monitor Private Access activity in the Entra sign-in logs filtered by the Private Access application names.

The bottom line

Entra Private Access provides a Zero Trust alternative to VPN that enforces identity policies per application rather than granting broad network access. The deployment is connector-based (outbound only, similar to Application Proxy), and the end-user experience is seamless on Intune-managed Entra ID joined devices. Start with Quick Access as a VPN replacement pilot, then progressively migrate to per-application policies with Conditional Access enforcement. The security benefit over VPN is that a compromised credential provides access only to the specific applications the user is authorized for -- not the entire internal network.

Frequently asked questions

What is the difference between Private Access and Application Proxy?

Entra Application Proxy is specifically for HTTP/HTTPS web applications and routes web browser sessions through the Microsoft cloud. Private Access supports any TCP/UDP application (RDP, SSH, SMB, custom protocols, web apps) and routes traffic at the network level. Application Proxy is the simpler solution for publishing a single intranet web app; Private Access is the VPN replacement for full internal network resource access. For an organization replacing VPN entirely, Private Access is the right choice -- it covers all application types Application Proxy supports plus non-web protocols.

Does Private Access replace the need for a traditional SSL VPN?

For user remote access to internal applications, yes -- Private Access provides equivalent functionality with better security controls (per-app Conditional Access vs broad VPN network access). Private Access does not replace VPN for device provisioning (you cannot domain-join a device via Private Access before the device has any identity), for emergency network-level access scenarios requiring full subnet access, or for site-to-site connectivity (Private Access is user-to-resource, not site-to-site). Keep a fallback VPN for provisioning and emergency scenarios while operating Private Access as the primary remote access method.

Can Private Access work for on-premises resources accessed by Entra ID joined devices?

Yes. Entra ID joined devices (not hybrid joined) historically required VPN or Application Proxy to access on-premises resources like file shares and printers because they have no domain-joined network connectivity. Private Access solves this: deploy a connector in the on-premises network and configure Private Access apps for the file servers, printers, and other resources the Entra ID joined devices need. The Entra ID joined devices access these resources via Private Access regardless of their physical location.

What happens if the Private Access connector goes offline?

Traffic for applications assigned to that connector's group will fail. This is why deploying at least 2 connectors per connector group is required for production use. The Global Secure Access service load balances across active connectors in a group -- if one connector goes offline, traffic automatically routes to the remaining active connectors. Monitor connector health in the Entra portal: Global Secure Access > Connect > Connectors. Alerts on connector status changes can be configured via Azure Monitor alerts on the Entra diagnostics data.

How does Private Access enforce Conditional Access policies per application?

Each Private Access enterprise application can be assigned its own Conditional Access policy in Entra ID. When a user attempts to access an application via the Global Secure Access client, the client authenticates to Entra ID and requests an access token for that specific enterprise application. The Conditional Access engine evaluates the applicable policies -- it can require MFA, require a compliant device, block high-risk users, or restrict by location for each individual application. This is fundamentally more granular than VPN, which either grants or blocks access to the entire network. A contractor connecting via Private Access can access the specific project file server they need without triggering the stricter Conditional Access policy applied to the finance system.

How does Global Secure Access Internet Access compare to a traditional Secure Web Gateway and when would you use each?

Global Secure Access Internet Access is Microsoft's cloud-delivered Secure Web Gateway (SWG) integrated into the Microsoft security stack. Traditional SWGs (Zscaler Internet Access, Netskope, Cisco Umbrella) provide similar capabilities -- URL filtering, SSL inspection, malware scanning, CASB integration -- but are separate products with their own management consoles, identities, and policy engines. GSA Internet Access advantages: policies reference Entra ID users and groups directly, no separate identity sync, and enforcement ties to Conditional Access (a risky user can be dynamically blocked at the network layer as well as the application layer). GSA Internet Access also provides the network telemetry for Microsoft's Universal Tenant Restriction feature, which blocks access to other tenants from corporate devices. Traditional SWG advantages: more mature feature sets (Zscaler and Netskope have years more development), broader partner integrations, and often better SSL inspection performance. Organizations already standardized on Microsoft 365 E5 security should evaluate GSA Internet Access seriously because it is included in the E5 license. Organizations with existing SWG investments from other vendors should do a feature comparison against their specific requirements before migration.

Sources & references

  1. Microsoft: Global Secure Access Documentation
  2. Microsoft: Entra Private Access Quickstart

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.