This chapter covers Microsoft Entra Global Secure Access (GSA), a cloud-native security service that converges network access, identity, and security controls. For the SC-900 exam, this topic represents approximately 5-8% of questions in Domain 2 (Identity Access). Understanding GSA is critical because it demonstrates how Microsoft integrates identity-based access with network security, moving beyond traditional VPNs and perimeter-based models. We will explore its components, mechanisms, configuration, and exam-specific nuances.
Jump to a section
Imagine a large corporation with multiple branch offices, each connected to the internet. Traditionally, employees access cloud apps by going through the public internet, like driving on public roads with no protection. Global Secure Access (GSA) is like building a private, secure tunnel network that connects all branch offices directly to a central security checkpoint before reaching any cloud destination. This checkpoint inspects every vehicle (user request) for identity, device health, and compliance before allowing passage. The tunnels themselves are encrypted and optimized, so traffic doesn't wander over public roads. Internally, GSA uses Microsoft's global network backbone to route traffic through edge nodes close to the user, then through the security checkpoint (Microsoft Entra Internet Access and Microsoft Entra Private Access). This is analogous to having a fleet of secure, dedicated lanes that merge into a single, heavily guarded hub. The hub verifies each traveler's badge (conditional access policies) and ensures they are not carrying prohibited items (threat protection). Only then can they proceed to their specific destination (SaaS app or private resource). This eliminates exposure to internet threats and provides consistent security regardless of user location.
What is Microsoft Entra Global Secure Access?
Microsoft Entra Global Secure Access (GSA) is the Microsoft implementation of a Security Service Edge (SSE) solution. SSE is a Gartner-defined category that converges network security functions—such as Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), and Firewall as a Service (FWaaS)—into a single, cloud-delivered service. GSA extends Microsoft Entra’s identity and access management capabilities to the network layer, enabling organizations to enforce security policies at the point of connection to any application, whether hosted in Microsoft 365, other SaaS, or private data centers.
Why GSA Exists
Traditional network security relies on a perimeter model: users connect to a corporate network via VPN, and then all traffic is backhauled through a central firewall. This model has several problems: - Latency: Traffic tromboning through a central data center increases delay. - Complexity: VPNs require on-premises hardware and complex routing. - Inconsistent security: Remote users bypass corporate security when accessing cloud apps directly. - No identity awareness: Traditional firewalls see IP addresses, not user identity.
GSA solves these by shifting security to the cloud edge. It uses Microsoft’s global network of over 200 edge nodes to inspect traffic close to the user, applies identity and device context, and forwards only allowed traffic to destinations.
How GSA Works Internally
GSA operates as a reverse proxy and forward proxy combined. The key components are: - Microsoft Entra Internet Access: Handles traffic to SaaS applications (e.g., Microsoft 365, Salesforce, Dropbox). It provides SWG capabilities, including URL filtering, TLS inspection, and threat protection. - Microsoft Entra Private Access: Handles traffic to private corporate resources (e.g., on-premises apps, Azure VMs). It uses ZTNA principles: users connect to a connector agent that establishes outbound-only tunnels, eliminating the need for inbound VPN ports.
Traffic Flow Mechanism
Client Side: A lightweight client (Microsoft Entra Private Access client for Windows, macOS, iOS, Android) or a network device (e.g., SD-WAN edge) establishes a secure tunnel to the nearest Microsoft edge node using the WireGuard protocol (UDP, port 51820). WireGuard is a modern, high-performance VPN protocol that uses state-of-the-art cryptography (ChaCha20, Poly1305, Curve25519).
Edge Node: The edge node terminates the tunnel and performs initial inspection. It extracts user identity from the tunnel metadata (which is bound to the authenticated Microsoft Entra session). The edge node enforces conditional access policies—for example, requiring multi-factor authentication (MFA) or device compliance—before allowing further access.
Security Processing: Traffic is then forwarded to the appropriate security processing pipeline:
For Internet Access: The Secure Web Gateway inspects HTTP/HTTPS traffic. It can block malicious URLs, apply category-based filtering, and perform data loss prevention (DLP) scanning. TLS inspection is performed by decrypting traffic using a trusted root certificate, inspecting the plaintext, then re-encrypting.
For Private Access: Traffic is forwarded to a connector agent installed on-premises or in a VNet. The connector agent establishes an outbound-only tunnel to the Microsoft cloud. It then forwards traffic to the internal application server. The server sees the connector’s IP, not the user’s, preserving network segmentation.
Destination: The destination application receives the request. For SaaS apps, the app sees the Microsoft edge node IP as the source. For private apps, the app sees the connector agent IP.
Key Components, Defaults, and Timers
Connector Agents: For Private Access, you install one or more connector agents on Windows Server 2016 or later. Each connector supports up to 500 concurrent connections. Microsoft recommends at least two connectors for high availability. Connectors register with Microsoft Entra ID using a certificate that auto-renews every 90 days.
WireGuard Tunnels: The default MTU is 1420 bytes. The tunnel uses UDP port 51820. Keepalive interval is 25 seconds.
Conditional Access Integration: GSA policies are evaluated at the edge node. The default session timeout is 8 hours. Idle session timeout can be set from 15 minutes to 24 hours.
Traffic Forwarding Profiles: You define which traffic goes through GSA. For example, you can forward all traffic (0.0.0.0/0) or specific IP ranges (e.g., 10.0.0.0/8 for private resources). Default: no traffic is forwarded until a profile is configured.
Logging and Analytics: Microsoft Entra logs all GSA events in the Sign-in logs and Audit logs. Traffic logs are available in Microsoft 365 Defender portal.
Configuration and Verification Commands
Configuration is primarily done via the Microsoft Entra admin center or Microsoft Graph API. There is no CLI for day-to-day management, but you can use PowerShell with the Microsoft Graph module.
Example: Enable Global Secure Access using Microsoft Graph PowerShell
Connect-MgGraph -Scopes "NetworkAccess.ReadWrite.All"
# Create a traffic forwarding profile
$params = @{
"@odata.type" = "#microsoft.graph.networkaccess.trafficForwardingProfile"
displayName = "All Traffic"
description = "Forward all internet and private traffic"
trafficForwardingType = "internetPrivate"
isEnabled = $true
}
New-MgNetworkAccessForwardingProfile -BodyParameter $paramsVerification: Check tunnel status in the client:
Windows client: Get-NetAdapterBinding -ComponentID ms_netwnv (not directly applicable). Instead, use the Global Secure Access client UI or check the event log at Applications and Services Logs/Microsoft/Windows/NetworkAccess/Operational.
For connector health: In Entra admin center, go to Global Secure Access > Connectors.
Interaction with Related Technologies
Microsoft Entra ID: GSA uses Microsoft Entra ID for authentication and conditional access. A user must have a valid Microsoft Entra ID license (P1 or P2) to use GSA.
Microsoft Intune: Device compliance policies are evaluated by Intune and used by GSA to block non-compliant devices.
Microsoft Defender for Cloud Apps: GSA can forward traffic to Defender for Cloud Apps for advanced CASB controls (e.g., session monitoring, file DLP).
Microsoft Sentinel: GSA logs can be ingested into Sentinel for advanced threat hunting.
Azure Virtual Network (VNet): For private access to Azure VMs, you install a connector agent in the VNet or use Azure Private Link integration.
Licensing
GSA requires one of the following licenses:
Microsoft Entra ID P1 or P2 (for identity and conditional access)
Microsoft Entra Internet Access or Microsoft Entra Private Access add-on (standalone or as part of Microsoft 365 E5/A5/G5)
Microsoft 365 E5 Security add-on
Without these licenses, GSA features are not available.
Install GSA Client or Configure Device
On each user device, install the Microsoft Entra Private Access client (for Windows, macOS, iOS, Android) or configure an SD-WAN edge device to connect. The client registers the device with Microsoft Entra ID and establishes a WireGuard tunnel to the nearest Microsoft edge node. The client uses the device’s primary refresh token (PRT) to authenticate. During installation, the client creates a virtual network adapter that routes traffic according to the forwarding profile. For Windows, the client can be deployed via Intune or manually. The client checks in every 30 minutes for policy updates.
Authenticate and Establish Tunnel
When the user signs in to Windows or the client app, Microsoft Entra ID authenticates the user and device. The client then negotiates a WireGuard tunnel with the Microsoft edge node. WireGuard uses a handshake that exchanges public keys and encrypts the session with a symmetric session key. The tunnel is established over UDP port 51820. The client sends keepalive packets every 25 seconds to maintain the tunnel. If no traffic flows for 5 minutes, the tunnel enters a sleep state and wakes on new traffic.
Traffic Classification and Forwarding
The client intercepts network traffic based on the forwarding profile. For example, if the profile forwards all traffic (0.0.0.0/0), the client routes all IP packets through the tunnel. The client classifies traffic as either internet-bound or private-bound. Internet-bound traffic is sent to the Microsoft edge node for SWG inspection. Private-bound traffic (based on IP ranges in the forwarding profile) is sent to the edge node, which then forwards it to the appropriate connector agent. The client does not perform deep inspection; it simply encapsulates packets and sends them over the tunnel.
Edge Node Inspection and Policy Enforcement
The Microsoft edge node receives the tunneled traffic. It decrypts the outer WireGuard layer, then inspects the inner packet. For internet traffic, it performs TLS interception (if enabled) by presenting a certificate issued by the organization’s CA. The edge node checks the destination URL against security policies (URL filtering, category blocking, threat intelligence feeds). It also evaluates conditional access policies: for example, if the user is not MFA-authenticated, the edge node can block access or prompt for MFA. The edge node logs all actions to Microsoft 365 Defender.
Forward to Destination or Connector
After inspection, the edge node forwards the traffic: for internet traffic, it acts as a proxy and makes a new TCP connection to the destination server. The destination sees the edge node’s public IP. For private traffic, the edge node sends the traffic to the appropriate connector agent via an outbound-only tunnel (also WireGuard). The connector agent receives the traffic and forwards it to the internal application server over the local network. The application server sees the connector agent’s IP. The response follows the reverse path: connector → edge node → client.
Enterprise Scenario 1: Replacing VPN for Remote Workers
A global consulting firm with 10,000 remote employees uses GSA to replace its legacy VPN. Previously, users connected to a VPN concentrator in the US headquarters, causing high latency for employees in Europe and Asia. With GSA, each user connects to the nearest Microsoft edge node (e.g., in London, Frankfurt, Singapore). Traffic to Microsoft 365 is optimized using Microsoft’s backbone, reducing latency by 30-50%. The firm configures a traffic forwarding profile to send all internet traffic through GSA, enabling URL filtering to block malicious sites. They enforce conditional access requiring MFA and device compliance. The main challenge was deploying the client to all devices; they used Intune to push the client silently. Performance is monitored via the Global Secure Access dashboard, which shows tunnel health, traffic volumes, and blocked requests. When misconfigured—for example, if the forwarding profile accidentally excludes critical IP ranges—users lose access to internal apps. The fix is to review the profile in the admin center and add the missing ranges.
Enterprise Scenario 2: Securing Access to On-Premises Apps
A healthcare organization with 5,000 users needs to provide access to an electronic health records (EHR) system hosted on-premises. They cannot expose the EHR to the internet due to compliance (HIPAA). They deploy GSA Private Access with two connector agents on Windows Server VMs in the data center. The connectors register with Microsoft Entra ID and establish outbound-only tunnels to Microsoft edge nodes. Users install the GSA client on their laptops. When a user accesses the EHR via a specific FQDN or IP, the client tunnels traffic to the edge node, which forwards it to one of the connectors. The connector forwards the request to the EHR server. The server sees the connector’s IP, not the user’s, preserving network segmentation. Conditional access policies require that the user’s device is compliant (e.g., antivirus enabled, disk encrypted) and that access is from a trusted location. The organization uses the GSA logs in Microsoft 365 Defender to audit access. A common issue is connector overload: if only one connector is deployed, it may become saturated. Microsoft recommends at least two connectors, each supporting up to 500 concurrent connections. They also set up health monitoring alerts for connector status.
Enterprise Scenario 3: Merging Security for SaaS and Private Apps
A multinational manufacturing company with 20,000 users uses both Microsoft 365 and custom SaaS apps (e.g., Salesforce, Workday) plus legacy on-premises apps. They deploy GSA with both Internet Access and Private Access. They create a unified forwarding profile that sends all traffic to Microsoft edge nodes. Internet traffic is inspected by the SWG for URL filtering and malware blocking. Private traffic is tunneled to connectors in each regional data center. They integrate with Defender for Cloud Apps to monitor user sessions and apply DLP policies (e.g., preventing upload of sensitive data to personal cloud storage). The company uses Microsoft Sentinel to correlate GSA logs with other security events. Performance considerations: they enable TLS inspection for outbound traffic, which requires deploying a trusted root certificate to all devices via Group Policy. Without this, TLS inspection fails and users see certificate errors. They also configure split tunneling to allow direct access to trusted sites like Windows Update to reduce latency. The deployment took three months, including pilot testing with 500 users. The biggest lesson was to carefully plan the forwarding profile to avoid breaking non-web applications that use non-standard ports.
Exam Focus: SC-900 Objective 2.5
The SC-900 exam tests your understanding of Global Secure Access as part of the Microsoft Entra portfolio. Specifically, you need to know: - What GSA is: A cloud-native SSE solution that converges identity and network access security. - Components: Microsoft Entra Internet Access (for SaaS) and Microsoft Entra Private Access (for private apps). - How it differs from VPN: No inbound ports, identity-aware, cloud-delivered, uses WireGuard protocol. - Licensing requirements: Requires Microsoft Entra ID P1/P2 plus appropriate add-on licenses (Internet Access, Private Access, or M365 E5). - Integration with Conditional Access: GSA can enforce CA policies at the network level. - Traffic forwarding profiles: Define which traffic goes through GSA.
Common Wrong Answers
"GSA replaces Microsoft Entra ID." Wrong. GSA is an add-on that extends Entra ID. Entra ID is still required for identity and authentication.
"GSA requires a VPN appliance on-premises." Wrong. GSA uses connector agents that establish outbound-only tunnels; no inbound VPN ports are needed.
"GSA only works with Microsoft 365." Wrong. Internet Access supports any SaaS app; Private Access supports any private app (on-premises or in Azure).
"GSA is the same as Azure VPN Gateway." Wrong. Azure VPN Gateway is a site-to-site VPN solution; GSA is an SSE solution for user-to-app access with identity integration.
Specific Numbers and Terms on the Exam
WireGuard protocol (UDP 51820)
Connector agent: Windows Server 2016 or later, supports 500 concurrent connections
Licensing: Microsoft Entra ID P1/P2 + Entra Internet Access or Entra Private Access (or M365 E5)
Traffic forwarding types: internet, private, or internetPrivate
Edge nodes: over 200 globally
Edge Cases the Exam Loves
What if a user does not have the GSA client installed? They can still access apps directly (unless blocked by other policies), but GSA policies are not enforced.
Can GSA be used without Microsoft Entra ID? No, it requires Entra ID for authentication.
Does GSA support non-HTTP protocols? Yes, for private access it can forward any TCP/UDP traffic (e.g., RDP, SSH) as long as the connector agent can reach the destination.
How to Eliminate Wrong Answers
If an answer mentions "VPN concentrator" or "inbound port," it's likely wrong because GSA is outbound-only.
If an answer suggests GSA replaces identity management, it's wrong because GSA depends on Entra ID.
If an answer says GSA only works for Microsoft apps, it's wrong because it supports any SaaS and private apps.
Global Secure Access is Microsoft's SSE solution combining Internet Access (SWG for SaaS) and Private Access (ZTNA for private apps).
GSA uses the WireGuard protocol over UDP port 51820 for secure tunnels.
Connector agents for Private Access run on Windows Server 2016+ and support up to 500 concurrent connections each.
GSA requires Microsoft Entra ID P1/P2 license plus an add-on (Internet Access, Private Access, or M365 E5).
Traffic forwarding profiles define which traffic (internet, private, or both) is routed through GSA.
Conditional Access policies can be enforced at the network edge by GSA, requiring MFA or device compliance before access.
GSA does not replace Microsoft Entra ID; it extends identity controls to the network layer.
The exam focuses on GSA components, licensing, and how it differs from traditional VPN.
Common wrong answer: thinking GSA only works with Microsoft apps.
These come up on the exam all the time. Here's how to tell them apart.
Global Secure Access (SSE)
Cloud-delivered, no on-premises hardware (except lightweight connectors)
Uses outbound-only WireGuard tunnels; no inbound ports exposed
Identity-aware: enforces conditional access policies at network level
Supports any app (SaaS, private, web, non-web)
Global edge network reduces latency by connecting users to nearest node
Traditional VPN
Requires on-premises VPN concentrator or gateway appliance
Requires inbound ports (e.g., UDP 500, 4500 for IPsec) exposing attack surface
IP-based: sees source IP, not user identity; no integration with identity providers
Primarily for corporate network access; often requires split tunneling for SaaS
Traffic backhauled to central data center, increasing latency for remote users
Mistake
Global Secure Access is just a new name for Azure AD Application Proxy.
Correct
GSA is a completely different service. Azure AD Application Proxy is a reverse proxy for on-premises web apps, requiring inbound connections from the cloud. GSA Private Access uses an outbound-only connector model with WireGuard tunnels, supports any TCP/UDP app (not just web), and integrates with conditional access at the network level.
Mistake
GSA requires on-premises hardware like a VPN appliance.
Correct
GSA is cloud-delivered. The only on-premises component is the connector agent (a software service on Windows Server) for private access. There is no hardware appliance. For internet access, no on-premises component is needed—just a client on user devices.
Mistake
GSA only works with Microsoft 365 and Azure apps.
Correct
GSA Internet Access supports any SaaS app (e.g., Salesforce, Workday, Dropbox) via SWG capabilities. Private Access supports any private app (web, RDP, SSH, etc.). It is not limited to Microsoft ecosystem.
Mistake
GSA replaces the need for Microsoft Entra ID Conditional Access.
Correct
GSA extends Conditional Access to the network layer but does not replace it. Conditional Access policies are still evaluated by Microsoft Entra ID. GSA can enforce those policies at the edge node, but the policies themselves are created in Entra ID.
Mistake
GSA traffic is not encrypted because it uses a proprietary protocol.
Correct
GSA uses the WireGuard protocol, which is open-source and uses modern encryption (ChaCha20, Poly1305, Curve25519). It is considered highly secure and is used by many VPN solutions. The tunnel is fully encrypted.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Microsoft Entra Internet Access is the Secure Web Gateway (SWG) component that secures access to SaaS applications (e.g., Microsoft 365, Salesforce). It inspects HTTP/HTTPS traffic, enforces URL filtering, and blocks threats. Microsoft Entra Private Access is the Zero Trust Network Access (ZTNA) component that secures access to private corporate resources (e.g., on-premises apps, Azure VMs). It uses connector agents to establish outbound-only tunnels. Both are part of Global Secure Access. For the exam, remember: Internet = SaaS, Private = internal apps.
Yes, for user-to-app access, a client is required. The Microsoft Entra Private Access client is available for Windows, macOS, iOS, and Android. For network-to-cloud scenarios (e.g., branch offices), you can configure SD-WAN devices to connect directly to Microsoft edge nodes without a per-device client. The client establishes a WireGuard tunnel and enforces forwarding policies. Without the client, traffic bypasses GSA.
You need a base Microsoft Entra ID P1 or P2 license for identity and conditional access. Then you need an add-on: Microsoft Entra Internet Access, Microsoft Entra Private Access, or a bundle like Microsoft 365 E5/A5/G5 or Microsoft 365 E5 Security. Standalone add-ons are available. The exam may ask: 'Which license is required?' Common correct answer: Microsoft Entra ID P1 plus an appropriate add-on.
Yes, for user-to-app access, GSA can replace traditional VPNs. It provides better security (no inbound ports, identity-aware), lower latency (global edge nodes), and simpler management (cloud-based). However, for site-to-site connectivity (e.g., connecting two data centers), you would still use Azure VPN Gateway or ExpressRoute. GSA is primarily for user-to-app and branch-to-cloud scenarios.
GSA can perform TLS inspection for internet traffic. The edge node acts as a man-in-the-middle: it decrypts the TLS session, inspects the plaintext for threats and DLP, then re-encrypts the traffic to the destination. This requires deploying a trusted root certificate to all client devices (e.g., via Group Policy or Intune). Without the certificate, users will see certificate errors. The exam may ask about the need for a trusted certificate.
The default session timeout is 8 hours. Idle session timeout can be configured from 15 minutes to 24 hours. These timeouts are managed via conditional access session controls. The exam may test that the default is 8 hours. Additionally, the WireGuard tunnel keepalive interval is 25 seconds.
No. Global Secure Access is built on Microsoft Entra ID. It uses Microsoft Entra ID for authentication, conditional access policies, and device identity. Without a Microsoft Entra ID tenant with appropriate licenses, GSA cannot function. The exam will emphasize that GSA is an extension of Entra ID, not a standalone product.
You've just covered Microsoft Entra Global Secure Access — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?