Global Secure Access: Zero Trust Networking

What is Global Secure Access?

Three profiles compared

Feature	Private Access	Internet Access	Internet Access for M365
What it replaces	Legacy VPN	Web proxy / SWG	Direct M365 routing / split tunnelling
Traffic type	Internal apps, file shares, intranet	All internet-bound web traffic	Microsoft 365 services only (Exchange, SharePoint, Teams)
Use case	Remote workers accessing on-prem resources	Secure browsing, block malicious sites	Optimise M365 performance, apply tenant restrictions
Key benefit	Per-app access (not full network)	URL filtering, threat protection	Source IP restoration, compliant network detection
Replaces	Site-to-site VPN, per-app VPN	Third-party web proxy, firewall URL filtering	Complex PAC files, split-tunnel configs
Requires connectors?	Yes — Private Network connectors on-prem	No — cloud-native	No — cloud-native
Conditional Access integration	Yes — compliant network as a condition	Yes — compliant network as a condition	Yes — compliant network + tenant restrictions v2

Deploying the Global Secure Access client

The Global Secure Access client runs on user devices and routes traffic through Microsoft’s SSE infrastructure.

Supported platforms:

• Windows 10/11 (most mature)
• macOS
• iOS
• Android

Deployment methods:

• Intune — deploy as a Win32 app or through the Microsoft Store for Business
• Manual install — download from the Entra admin center
• Group Policy — for domain-joined devices not managed by Intune

What the client does:

1. Intercepts network traffic based on enabled traffic profiles
2. Routes matching traffic to Microsoft’s SSE edge (closest point of presence)
3. Applies Conditional Access policies and traffic filtering
4. Non-matching traffic goes directly to the internet (normal routing)

💡 Exam tip: the client is required

GSA is client-based — without the Global Secure Access client installed on the device, no traffic is routed through GSA. This is different from some web proxy solutions that can work without client software.

The exam may test scenarios where GSA policies aren’t working. The first troubleshooting step is always: “Is the Global Secure Access client installed and connected?”

Private Access — replacing VPN

Private Access provides Zero Trust Network Access (ZTNA) to internal resources. Instead of a VPN that gives access to the entire network, Private Access connects users to specific applications only.

How it works

1. Admin installs Private Network connectors on servers in the on-premises network (similar to App Proxy connectors)
2. Admin defines Enterprise Applications for internal resources (e.g., intranet on 10.0.1.5:443, file share on \\fileserver\shared)
3. Admin configures Quick Access (broad IP/FQDN segments) or Per-app Access (specific apps)
4. User’s GSA client intercepts traffic to those destinations
5. Traffic is routed through Microsoft’s SSE → Private Network connector → internal resource
6. Conditional Access policies evaluate every connection

Quick Access vs Per-app Access

Approach	Scope	When to Use
Quick Access	Entire IP ranges or FQDN segments	Fast setup, broad access (like a VPN replacement)
Per-app Access	Individual applications	Granular Zero Trust — users access only specific apps

ℹ️ Scenario: Anika deploys Private Access for a client

Anika’s client has 200 remote workers using a legacy Cisco AnyConnect VPN. The VPN gives full network access — once connected, users can reach anything on the internal network. The security team wants to move to Zero Trust.

Anika’s migration plan:

Phase 1 — Quick Access (VPN replacement):

1. Install Private Network connectors on two servers in the data centre (high availability)
2. Configure Quick Access with the internal IP ranges (10.0.0.0/8, 172.16.0.0/12)
3. Deploy GSA client to all remote workers via Intune
4. Test: remote workers can access internal resources through GSA instead of VPN
5. Run in parallel with VPN for 2 weeks

Phase 2 — Per-app Access (Zero Trust):

1. Identify the top 10 internal applications remote workers actually use
2. Create per-app access entries for each (HR portal, expense system, file shares)
3. Add CA policies: require compliant device + MFA for each app
4. Gradually remove Quick Access segments, moving users to per-app access
5. Decommission VPN once all apps are covered

Result: Instead of VPN “all or nothing” access, each user gets access only to the specific apps they need. A compromised device can’t pivot to other internal resources.

Internet Access — Secure Web Gateway

Internet Access provides Secure Web Gateway (SWG) functionality — filtering and securing all outbound web traffic.

Capabilities:

• Web content filtering — block categories of websites (gambling, malware, adult content)
• FQDN filtering — block or allow specific domains
• Threat protection — block access to known malicious sites
• TLS inspection — decrypt HTTPS traffic for deep inspection (optional, requires certificate deployment)

How it works:

1. GSA client intercepts internet-bound traffic
2. Routes it to Microsoft’s SSE edge
3. Filtering rules are applied (web categories, FQDNs, threat intelligence)
4. Clean traffic is forwarded to the destination
5. Blocked traffic returns a block page to the user

Security profiles and policies

• Security profiles define a set of filtering rules (like a firewall rule set)
• Filtering policies link security profiles to user groups
• Policies are prioritised by order — first match wins

💡 Exam tip: Internet Access is a Secure Web Gateway

When the exam mentions filtering web traffic, blocking malicious URLs, or controlling internet access categories, it’s talking about the Internet Access profile of GSA. Don’t confuse it with:

• Private Access — for internal resources, not internet
• Defender for Cloud Apps — for SaaS app control and CASB, not general web filtering
• Microsoft Defender for Endpoint — endpoint protection, different from network-level filtering

Internet Access = SWG. Private Access = ZTNA. Know the boundary.

Internet Access for Microsoft 365

The Microsoft traffic profile specifically handles traffic to Microsoft 365 services (Exchange Online, SharePoint Online, Teams).

Why a separate profile for M365?

• Source IP restoration — GSA restores the original client IP address in sign-in logs and CA evaluations (normally proxied traffic shows the proxy IP)
• Compliant network detection — Entra can verify the user’s traffic is flowing through GSA, enabling a “compliant network” CA condition
• Tenant restrictions v2 — prevent users from signing in to unauthorised tenants from managed devices (personal Microsoft accounts, other organisations’ tenants)
• Universal tenant restrictions — enforce tenant restrictions at the network level, even for apps that don’t support it natively

Compliant network as a CA condition

When the Microsoft traffic profile is active, Entra can detect that the user’s traffic comes through GSA. You can create a CA policy:

IF: All users → All cloud apps → Network = NOT compliant network
THEN: Block access

This ensures users can only access M365 from devices with GSA connected — effectively a managed network requirement without traditional network-based controls.

ℹ️ Scenario: Anika adds M365 traffic profile for tenant restrictions

Anika’s client is concerned about data exfiltration. Employees might sign in to personal Microsoft accounts or other tenants and upload company data.

Solution using Internet Access for M365:

1. Enable the Microsoft traffic profile in GSA
2. Configure tenant restrictions v2: only allow sign-in to the company tenant
3. Deploy GSA client to all managed devices
4. Create CA policy: require compliant network for all M365 access

Result:

• On a managed device with GSA: user can sign in to company M365 ✅, but cannot sign in to personal Microsoft account ❌
• The company tenant is the only allowed tenant — users can’t exfiltrate data to a personal OneDrive
• If the GSA client is disconnected (e.g., someone tries to bypass it), the compliant network condition fails and access is blocked

Private Network connectors

Private Network connectors (formerly App Proxy connectors) are the on-premises component of Private Access. They bridge GSA to your internal network.

Deployment requirements:

• Windows Server 2012 R2 or later
• Domain-joined (recommended)
• Outbound HTTPS connectivity to Microsoft (no inbound firewall rules needed)
• At least two connectors in a connector group for high availability
• Place connectors close to the applications they serve (minimise latency)

Connector groups let you organise connectors by location or application:

• “Auckland DC connectors” → serve Auckland apps
• “Wellington DC connectors” → serve Wellington apps

🎬 Video walkthrough

🎬 Video coming soon

Global Secure Access — SC-300 Module 15

Global Secure Access — SC-300 Module 15

~12 min

Flashcards

Question

What is the Microsoft traffic profile in Global Secure Access?

Click or press Enter to reveal answer

Answer

Optimises and secures Microsoft 365 traffic. Enables compliant network detection for Conditional Access and tenant restrictions v2 to block sign-in to unauthorised tenants.

Click to flip back

Question

What is Private Access in Global Secure Access?

Click or press Enter to reveal answer

Answer

Zero Trust access to internal/on-prem applications — replaces legacy VPN. Uses Private Network connectors (outbound only) and supports Quick Access (broad IP ranges) or Per-app Access (individual apps).

Click to flip back

Question

What is Internet Access in Global Secure Access?

Click or press Enter to reveal answer

Answer

A Secure Web Gateway (SWG) that filters and controls all outbound internet traffic. Supports URL filtering, web content filtering, FQDN-based rules, and TLS inspection.

Click to flip back

Question

What is the difference between Quick Access and Per-app Access in Private Access?

Click or press Enter to reveal answer

Answer

Quick Access defines broad IP ranges or FQDN segments — like a VPN replacement, gives access to entire network segments. Per-app Access defines individual applications — true Zero Trust, users access only specific apps they need. Best practice: start with Quick Access for migration, then move to per-app.

Click to flip back

Question

What is the 'compliant network' condition in Conditional Access?

Click or press Enter to reveal answer

Answer

When the GSA Microsoft traffic profile is active, Entra detects that user traffic flows through GSA. You can create a CA policy requiring 'compliant network' — blocking access if the user's traffic isn't going through GSA. This ensures M365 access only from managed devices with the GSA client connected.

Click to flip back

Question

How do tenant restrictions v2 work with Global Secure Access?

Click or press Enter to reveal answer

Answer

GSA's Microsoft traffic profile enables tenant restrictions v2 — blocking users from signing in to unauthorised tenants (personal Microsoft accounts, other orgs). Enforced at the network level through GSA. Combined with compliant network CA condition, it prevents data exfiltration to personal OneDrive/SharePoint.

Click to flip back

Knowledge Check

Knowledge Check

An organisation wants to replace their legacy VPN with a Zero Trust solution. Remote workers need access to three specific internal web applications, but should NOT have access to the rest of the internal network. Which approach should they use?

APer-app Access with enterprise applications defined for each of the three appsBQuick Access with the full internal IP range configuredCInternet Access with FQDN filtering for the three internal app domainsDMicrosoft traffic profile with compliant network enforcement

Check Answer

Knowledge Check

A company wants to prevent employees from uploading company documents to personal OneDrive accounts from their managed work laptops. Which Global Secure Access feature addresses this?

APrivate Access with per-app access for OneDriveBInternet Access with web content filtering blocking personal Microsoft sitesCMicrosoft traffic profile with tenant restrictions v2 allowing only the company tenantDConditional Access policy blocking OneDrive access from non-compliant devices

Check Answer

Knowledge Check

After deploying Global Secure Access, a remote user reports they cannot access an internal HR portal. The GSA client shows 'Connected.' What should the admin check first?

AWhether the user has an Entra ID P2 licenceBWhether the Internet Access profile is enabled for the userCWhether the user's device has Windows Defender enabledDWhether Private Network connectors are running and the HR portal is defined in Quick Access or Per-app Access

Check Answer

---

Congratulations! 🎉 You’ve completed Domain 2: Implement Authentication and Access Management. You now understand authentication methods, passwordless deployment, MFA and SSPR, Conditional Access (basic and advanced), ID Protection, and Global Secure Access. Next up is Domain 3: Implement Access Management for Applications.