The traditional corporate VPN is reaching the end of its life. With Microsoft Entra Global Secure Access, Microsoft offers a fully integrated Security Service Edge solution that replaces VPN with Entra Private Access and secures internet traffic with Entra Internet Access. What does this mean and how do you migrate?
The corporate VPN has served as the gateway to business networks for decades. But in a world where applications run in the cloud, employees work from anywhere and threats are increasingly sophisticated, the VPN shows its limitations. Once connected, a user — or an attacker — has access to the entire network segment. Microsoft offers a modern alternative with Entra Global Secure Access, built on Zero Trust principles.
Entra Global Secure Access is Microsoft's Security Service Edge (SSE) solution and consists of two complementary services. Entra Private Access replaces the traditional VPN with identity-based access to internal resources and applications. Entra Internet Access secures all internet traffic from managed devices via a cloud-based Secure Web Gateway.
Both services are integrated in the Microsoft Entra portal and work seamlessly with Entra ID, Conditional Access and Microsoft Defender for Endpoint. This makes Global Secure Access distinctive: it is not a standalone product but an extension of the identity and security platform that Microsoft 365 organisations already use.
With a classic VPN connection, a user gains access to a broad network segment once authenticated. Entra Private Access works differently: access is granted based on the specific application or resource a user needs, not based on network location. This is called Zero Trust Network Access (ZTNA).
Every access attempt is evaluated against Entra Conditional Access policy: Is the device compliant? Has the user identity been verified with multi-factor authentication? Is the user in a high-risk location? Based on these signals, access is granted, restricted or denied. This also applies to internal applications running on on-premises servers, meaning hybrid environments are fully supported.
Entra Internet Access acts as a cloud-based proxy for all internet traffic from managed devices. It filters malicious websites, blocks categories based on policy (such as social media or gambling sites) and inspects encrypted HTTPS traffic for threats. This replaces on-premises web proxy solutions and legacy Secure Web Gateway appliances.
A particularly valuable feature is the integration with Microsoft 365: Global Secure Access can route M365 traffic directly via the Microsoft backbone, reducing latency and improving reliability for Teams calls, Exchange Online and SharePoint.
A phased approach is most successful. In phase 1, inventory which internal applications are currently accessible via VPN and which user groups have access to them. In phase 2, migrate the first set of applications to Entra Private Access and configure the associated Conditional Access policies. In phase 3, enable Entra Internet Access as a replacement for the existing proxy and roll it out to all managed devices.
The Microsoft Global Secure Access client is deployed via Microsoft Intune as a small lightweight driver that runs transparently in the background. End users will barely notice the transition as long as policies are properly configured.
Entra Private Access and Entra Internet Access are available as part of Microsoft Entra Suite or as standalone add-ons to Microsoft 365 E3/E5. Entra Suite also includes Entra ID Governance, Entra ID Protection and Verified ID. Contact your Microsoft partner for an up-to-date licence overview tailored to your size and security requirements.
Zarioh Digital Solutions guides organisations through the transition from traditional VPN to Entra Global Secure Access. From inventory to full implementation: get in touch for a no-obligation conversation about your Zero Trust strategy.
