In-Depth

The Missing Piece in the Zero Trust Puzzle

• By Paul Schnackenburg
• 02/26/2025

The core principles of Zero Trust, Assume Breach, Least Privilege and Verify Explicitly, are slowly trickling through organizations' approach to cybersecurity. It's hard, because you can't just buy it, and it involves people and process just as much as it does technology. In the Microsoft world, most of the building blocks have been in place for some time, including Entra ID for authentication and authorization, identity governance to ensure users only have the access they need, and Defender XDR + Sentinel for spotting the inevitable breaches before they turn into major incidents. But the network has until recently been a weak spot, either because users are working in locations not protected by your fancy enterprise-grade firewalls, or because they've used a traditional VPN to connect to on-premises resources, in many cases bypassing most of your protections.

In this article I'll look at Microsoft's entry in the Secure Services Edge (SSE) market, Global Secure Access (GSA), and the different flavors of it, Internet Access and Private Access. Another buzzword for this kind of technology is Zero Trust Network Access, ZTNA.

That's a Good-Looking Suite
There are at least seven definitions of the word "suite" in the English language, and one is "a set of programs with a uniform design and the ability to share data," which is most likely the meaning of the Entra Suite license (as opposed to "a set of coordinating furniture" or "a group of people in attendance on a monarch or other person of high rank"). It includes:

• Entra Private Access
• Entra Internet Access
• Entra ID Governance
• Entra ID Protection
• Entra Verified ID

We'll focus on the first two, but I'll cover all five and how they work together to provide a Zero-Trust fabric for your organization, no matter where the resources your users are accessing are located, and irrespective of where they are connecting from. The suite is $12 per user per month, if you already have Entra ID P2 licensing or Microsoft 365 E5, which already includes identity protection, parts of ID governance and parts of verified ID, there's special pricing available so you don't pay twice for the same features.

Accessing Corporate Resources
When I started my career in IT, accessing corporate resources involved dial-up modems and clunky approaches to access file shares and databases. As connectivity improved, we swapped to Virtual Private Network (VPN) tech, nearly always with a user action component -- connect to the internet first, then do a second connection to access on-premises resources. As any network architect will tell you, the big problem here is once your device is connected, it's part of the network, as if the device was sitting on the LAN in the office. This gives an attacker that has compromised your device, or malware planted there, extensive access to attack other resources in the corporate environment and thus move laterally to other systems. Furthermore, as we've discovered (and continue to discover) the edge devices that we connect through from supposedly responsible cybersecurity vendors have holes big enough to drive a Borg cube through and not even scrape the sides.

This is where SSE or it's cousin, Secure Access Service Edge (SASE), enters the arena. SASE includes Wide Area Networking convergence, which SSE doesn't, and Entra Global Secure Access provides only SSE (today). Using various approaches, SSE/SASE services are cloud hosted, and provide a range of security features to connect clients with resources in a secure fashion, based on strong authentication methods.

Microsoft's unique approach is integrating with the rest of the Entra ID stack and using familiar building blocks such as Conditional Access (CA) Policies that most IT pros are familiar with.

For several years there's been the Entra ID application proxy, which allows you to provide secure access to on-premises web-based applications (only) and publish those for your users in Entra ID, alongside other SaaS apps that you've published, so Salesforce could be sitting next to the internal (not available on the web) vacation booking app in your MyApps portal.

Private Access, however, takes this to a whole new level by providing access to any on-premises application, no matter the protocol. And there's no VPN involved, nor do you need to open any inbound port in your corporate firewall. Need your IT administrators to RDP into servers after hours -- no worries, create a policy in two minutes. Worried about security? Require phishing resistant MFA for each connection. And if your users need access to traditional file shares, that's also just a few clicks away.

You do need an agent on the endpoint for both Private and Internet access, as eventually the Windows client will be built-in, but today it's a separate installation, as is the macOS agent (currently in preview), the Android client or the iOS agent (again in preview). Note that the iOS agent only supports Microsoft 365 and Private Access traffic, with internet traffic filtering coming in the first half of 2025.

For Private access you also need at least one connector on a Windows server on-premises that has line of sight to the resources you want users to access from outside the network, this is what facilitates the outgoing connectivity so that you don't need to open inbound ports on your edge firewall(s). It's really just a newer version of the Entra ID application proxy mentioned above.

To get up and running quickly, there's a Quick Access option where you specify internal Fully Qualified Domain Names (FQDNs) and IP addresses that you want to publish into an application segment. You can also add private DNS suffixes so that the GSA agent knows how to resolve names of internal resources, plus you can configure a single sign-on (SSO) setup for accessing resources using Kerberos. Quick Access relies on an enterprise application being registered in Entra ID, to which you grant users and groups access, if you want them to be able to use Private Access. This is the first step in deploying Private Access, which can also be the start of your migration off your VPN.

Quick Access is great for getting started, but after a while you'll probably want to implement different policies for different applications. A new feature called Application discovery is currently in preview, able to track every application accessed and show you the FQDN, IP protocol flavor, port(s), number of users, devices, sent and received bytes, first and last access. Based on this, you can create individual applications which will inherit the users and groups assigned through Quick access, which you can then trim down for each application.

It's really easy to get started with, and the granular control you get allows you to provide access to only a particular application, for just the people that should have access.

For both Private and Internet access, you then use Universal Conditional Access to add the conditions you need for each access. Without GSA, you can enforce phishing-resistant MFA, connectivity only from corporate devices and no sign-in risk for access to a specific SaaS cloud app, for example. With GSA you can do the same for access to any resource. To make this even easier, the connector is now available in the marketplace in the three major clouds, taking the setup from 30 minutes+ to 5 minutes.