Ensuring safe and secure access to resources in the enterprise has always been a delicate balance. Protecting corporate assets from intrusions and misuse is paramount. But a system that neglects usability for employees creates frustration and inefficiencies.
At Microsoft, we’re in the midst of a major transformation in how we manage access to our corporate resources. The cornerstone of this change is Microsoft Global Secure Access (GSA), a security service edge (SSE) solution that replaces traditional VPNs with a modern, identity-centric model. GSA provides three core services integrated into a unified framework: Microsoft 365 Access, Internet Access, and Private Access. This approach not only strengthens our enterprise security posture but also simplifies connectivity for both users and administrators.
“Years ago, the concept of a VPN was simple: a single virtual private network gave employees access to the company’s entire internal network. Today, this model presents serious risks.
Pete Apple, principal cloud network engineer, Microsoft Digital
Over 158,000 of our employees are already using the GSA client and Microsoft 365, with full rollout of private and internet access planned in the coming months. Here’s how we’re building a more secure, seamless, and future-ready access experience across Microsoft’s ecosystems.
Beyond VPNs: the future of secure access
The idea that an internal network is inherently safer than the open internet has always been risky, and modern threats make that assumption dangerous. This is why we’ve embraced the Zero Trust model, shifting away from blanket access and moving toward least-privilege access—ensuring users only get what they need, when they need it, and nothing more.
Adopting a Zero Trust approach across the enterprise makes moving beyond traditional VPNs imperative. For years, we’ve relied on Microsoft VPN and Azure VPN to access internal resources. While effective, these traditional models operate on an “all-or-nothing” basis: once connected, employees gain broad access, regardless of role or security context.
“Years ago, the concept of a VPN was simple: a single virtual private network gave employees access to the company’s entire internal network,” says Pete Apple, a principal cloud network engineer in Microsoft Digital, the company’s IT organization. “Today, this model presents serious risks. If a user’s identity or device is compromised—or if a man-in-the-middle attack occurs—the attacker can connect through the VPN and gain broad access to sensitive data, soft targets, and critical systems.”
“One of the primary reasons for this shift to GSA is that we get more granularity within this identity-based security solution that we can control access on a very fine level.”
Gary Triv, principal network engineer, Microsoft Digital
This creates challenges for organizations like ours—and yours.
That’s where GSA can help.
It shifts the paradigm by introducing fine-grained, identity-based controls. Through deep integration with Microsoft Entra, administrators can enforce policies that adapt in real time, ensuring only the right users, devices, and conditions grant access to sensitive resources.
“One of the primary reasons for this shift to GSA is that we get more granularity within this identity-based security solution that we can control access on a very fine level,” says Gary Triv, a principal network engineer in Microsoft Digital.
The four pillars of GSA security
Our focus on security is built into everything we do.
“Conditional access, identity-centric controls, and other core elements of Zero Trust are built directly into the solution,” says Lalitha Mahajan, global technical program manager for Global Secure Access.
At the heart of GSA are four foundational security features:
- Conditional Access (CA): Unlike VPNs, which provide blanket access, CA enforces contextual rules to ensure role-appropriate access at all times. For example, an engineer may be allowed access to a security portal, while another user may only see Power BI dashboards.
- Continuous Access Evaluation (CAE): Access control doesn’t stop at login. CAE evaluates user context in real time. If an employee’s role changes, their credentials are revoked, or they leave the company, their active sessions are immediately terminated.
- Network Filtering: GSA allows administrators to define exactly where users can go on the internet or within corporate networks. This ensures employees have access only to approved destinations, reducing exposure to threats.
- Compliant Network (CN): Access is tied to the source network. For instance, a device in Redmond may be allowed, but the same device in an untrusted region could be blocked automatically.
Together, these pillars make GSA a secure and adaptive solution, fully aligned with the principles of Zero Trust.
“With the Zero Trust model, our goal is to enforce least-privilege access. That means locking down internal resources, improving segmentation, and using firewalls and other controls so users can’t reach everything by default,” Apple says. “Instead of relying on a blanket VPN network, we’re moving to the Entra Global Secure Access model, which combines network and identity. Instead of granting broad visibility into the entire internal network, access can now be scoped to a user’s identity—so employees only connect to the resources defined for them.”
“Unlike traditional VPNs, GSA delivers both client-side and server-side insights, all of which we own. This gives us deeper visibility and allows us to make the data more actionable for our use cases.”
Lalitha Mahajan, program manager, Microsoft Digital
A perfect example is a Microsoft developer—one of our most common employee roles.
Our developers may need access to specific source code, certain labs, and designated file shares. With GSA, we can grant access only to those resources—and nothing else. This shift from a blanket “once connected, you can see everything” approach, to a tightly defined, identity-based model is a major security improvement and one of the most exciting reasons we’re moving forward with this product.
A key differentiator and critical Zero Trust enabler is GSA’s rich telemetry, which provides real-time visibility into user activity, device health, and network traffic. This continuous stream of data enables early detection of threats, anomaly detection, and precise policy enforcement—strengthening Zero Trust in practice.
“Unlike traditional VPNs, GSA delivers both client-side and server-side insights, all of which we own,” Mahajan says. “This gives us deeper visibility and allows us to make the data more actionable for our use cases.”
The key components of GSA
Private Access is just one of three offerings that make up GSA. Together, these offerings are unified under a single client that creates three dedicated tunnels—one for each service—while administrators centrally define routing and policy rules. GSA consists of:
- Microsoft 365 Access: Optimized, policy-controlled connectivity for Office apps and services.
- Internet Access: Secure browsing with TLS inspection, URL filtering, and content controls.
- Private Access: A modern replacement for legacy VPNs that enable granular access to internal resources.
For Internet Access, GSA supports two deployment models: branch connectivity, where IPSec tunnels secure traffic from devices without a client (like printers), and client connectivity, where the GSA client routes laptop or desktop traffic directly to the GSA Edge. Both approaches enforce consistent policies, differing only in how traffic reaches the framework.
Advanced features and monitoring
Unlike fragmented VPN and firewall logs, GSA provides consistent visibility through unified logging, which consolidates session data—including user identity, device, source, destination, and applied policies—into a single view. We can now easily validate whether security features are working as intended and forward logs to Microsoft Sentinel for extended monitoring.
This holistic view provides us with a major advantage against cyber threats, enabling faster investigations and clearer correlations between user behavior and network activity.
Our rollout of GSA is well underway internally at Microsoft. With more than 158,000 GSA client and Microsoft 365 users already onboard, the next phase will expand private access company-wide, followed by broader adoption of internet access. Early pilots have demonstrated strong results, with positive feedback on both usability and the ability to solve unique access challenges.
By delivering a complete, identity-based secure access solution—spanning Microsoft 365, internet, and private connectivity—Microsoft is redefining enterprise access for the cloud-first era. The result is a future where connectivity is not only seamless but also secure, adaptive, and tightly aligned with user identity and context.
Key takeaways
Our experience transitioning to GSA Private Access has left us with several key insights that other enterprises can apply to their own efforts to modernize remote access:
- Adopt least-privilege access: Move away from blanket network access to ensure employees only reach the resources they need.
- Reduce risk from compromised accounts: Limit the blast radius of identity or device breaches by segmenting and scoping access.
- Continuously evaluate trust: Treat access as dynamic, adapting in real time to changes in user roles, device health, or network conditions.
- Improve visibility through telemetry: Use detailed activity and traffic data to spot anomalies early and strengthen security decisions.
- Unify security and connectivity: Align access with identity and context, creating a balance between strong protection and seamless user experience.
Related links
We’d like to hear from you!
