{"id":20360,"date":"2025-09-25T09:00:00","date_gmt":"2025-09-25T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=20360"},"modified":"2025-10-02T09:16:30","modified_gmt":"2025-10-02T16:16:30","slug":"transforming-our-vpn-with-global-secure-access-at-microsoft","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/transforming-our-vpn-with-global-secure-access-at-microsoft\/","title":{"rendered":"Transforming our VPN with Global Secure Access at Microsoft"},"content":{"rendered":"\n

Ensuring safe and secure access to resources in the enterprise has always been a delicate balance. Protecting corporate assets from intrusions and misuse is paramount. But a system that neglects usability for employees creates frustration and inefficiencies.<\/p>\n\n\n\n

At Microsoft, we\u2019re in the midst of a major transformation in how we manage access to our corporate resources. The cornerstone of this change is Microsoft Global Secure Access (GSA), a security service edge (SSE) solution that replaces traditional VPNs with a modern, identity-centric model. GSA provides three core services integrated into a unified framework: Microsoft 365 Access, Internet Access, and Private Access. This approach not only strengthens our enterprise security posture but also simplifies connectivity for both users and administrators.<\/p>\n\n\n\n

\"A<\/figure>\n\n\n\n
\n

\u201cYears ago, the concept of a VPN was simple: a single virtual private network gave employees access to the company\u2019s entire internal network. Today, this model presents serious risks.<\/p>\nPete Apple, principal cloud network engineer, Microsoft Digital<\/cite><\/blockquote>\n\n\n\n

Over 158,000 of our employees are already using the GSA client and Microsoft 365, with full rollout of private and internet access planned in the coming months. Here\u2019s how we\u2019re building a more secure, seamless, and future-ready access experience across Microsoft\u2019s ecosystems.<\/p>\n\n\n\n

Beyond VPNs: the future of secure access<\/h2>\n\n\n\n

The idea that an internal network is inherently safer than the open internet has always been risky, and modern threats make that assumption dangerous. This is why we\u2019ve embraced the Zero Trust model, shifting away from blanket access and moving toward least-privilege access\u2014ensuring users only get what they need, when they need it, and nothing more.<\/p>\n\n\n\n

Adopting a Zero Trust approach across the enterprise makes moving beyond traditional VPNs imperative. For years, we\u2019ve relied on Microsoft VPN and Azure VPN to access internal resources. While effective, these traditional models operate on an \u201call-or-nothing\u201d basis: once connected, employees gain broad access, regardless of role or security context.<\/p>\n\n\n\n

\u201cYears ago, the concept of a VPN was simple: a single virtual private network gave employees access to the company\u2019s entire internal network,\u201d says Pete Apple, a principal cloud network engineer in Microsoft Digital, the company\u2019s IT organization. \u201cToday, this model presents serious risks. If a user\u2019s identity or device is compromised\u2014or if a man-in-the-middle attack occurs\u2014the attacker can connect through the VPN and gain broad access to sensitive data, soft targets, and critical systems.\u201d<\/p>\n\n\n\n

\"A<\/figure>\n\n\n\n
\n

\u201cOne of the primary reasons for this shift to GSA is that we get more granularity within this identity-based security solution that we can control access on a very fine level.\u201d<\/p>\nGary Triv, principal network engineer, Microsoft Digital<\/em><\/cite><\/blockquote>\n\n\n\n

This creates challenges for organizations like ours\u2014and yours.<\/p>\n\n\n\n

That\u2019s where GSA can help.<\/p>\n\n\n\n

It shifts the paradigm by introducing fine-grained, identity-based controls. Through deep integration with Microsoft Entra, administrators can enforce policies that adapt in real time, ensuring only the right users, devices, and conditions grant access to sensitive resources.<\/p>\n\n\n\n

\u201cOne of the primary reasons for this shift to GSA is that we get more granularity within this identity-based security solution that we can control access on a very fine level,\u201d says Gary Triv, a principal network engineer in Microsoft Digital.<\/p>\n\n\n\n

The four pillars of GSA security<\/h2>\n\n\n\n

Our focus on security is built into everything we do.<\/p>\n\n\n\n

\u201cConditional access, identity-centric controls, and other core elements of Zero Trust are built directly into the solution,\u201d says Lalitha Mahajan, global technical program manager for Global Secure Access.<\/p>\n\n\n\n

At the heart of GSA are four foundational security features:<\/p>\n\n\n\n

    \n
  1. Conditional Access (CA):<\/strong> Unlike VPNs, which provide blanket access, CA enforces contextual rules to ensure role-appropriate access at all times. For example, an engineer may be allowed access to a security portal, while another user may only see Power BI dashboards.<\/li>\n\n\n\n
  2. Continuous Access Evaluation (CAE):<\/strong> Access control doesn\u2019t stop at login. CAE evaluates user context in real time. If an employee\u2019s role changes, their credentials are revoked, or they leave the company, their active sessions are immediately terminated.<\/li>\n\n\n\n
  3. Network Filtering:<\/strong> GSA allows administrators to define exactly where users can go on the internet or within corporate networks. This ensures employees have access only to approved destinations, reducing exposure to threats.<\/li>\n\n\n\n
  4. Compliant Network (CN):<\/strong> Access is tied to the source network. For instance, a device in Redmond may be allowed, but the same device in an untrusted region could be blocked automatically.<\/li>\n<\/ol>\n\n\n\n

    Together, these pillars make GSA a secure and adaptive solution, fully aligned with the principles of Zero Trust.<\/p>\n\n\n\n

    \u201cWith the Zero Trust model, our goal is to enforce least-privilege access. That means locking down internal resources, improving segmentation, and using firewalls and other controls so users can\u2019t reach everything by default,\u201d Apple says. \u201cInstead of relying on a blanket VPN network, we\u2019re moving to the Entra Global Secure Access model, which combines network and identity. Instead of granting broad visibility into the entire internal network, access can now be scoped to a user\u2019s identity\u2014so employees only connect to the resources defined for them.\u201d<\/p>\n\n\n\n

    \"A<\/figure>\n\n\n\n
    \n

    \u201cUnlike traditional VPNs, GSA delivers both client-side and server-side insights, all of which we own. This gives us deeper visibility and allows us to make the data more actionable for our use cases.\u201d<\/p>\nLalitha Mahajan, program manager, Microsoft Digital<\/em><\/cite><\/blockquote>\n\n\n\n

    A perfect example is a Microsoft developer\u2014one of our most common employee roles.<\/p>\n\n\n\n

    Our developers may need access to specific source code, certain labs, and designated file shares. With GSA, we can grant access only to those resources\u2014and nothing else. This shift from a blanket “once connected, you can see everything” approach, to a tightly defined, identity-based model is a major security improvement and one of the most exciting reasons we’re moving forward with this product.<\/p>\n\n\n\n

    A key differentiator and critical Zero Trust enabler is GSA\u2019s rich telemetry, which provides real-time visibility into user activity, device health, and network traffic. This continuous stream of data enables early detection of threats, anomaly detection, and precise policy enforcement\u2014strengthening Zero Trust in practice.<\/p>\n\n\n\n

    \u201cUnlike traditional VPNs, GSA delivers both client-side and server-side insights, all of which we own,\u201d Mahajan says. \u201cThis gives us deeper visibility and allows us to make the data more actionable for our use cases.\u201d<\/p>\n\n\n\n

    The key components of GSA<\/h2>\n\n\n\n

    Private Access is just one of three offerings that make up GSA. Together, these offerings are unified under a single client that creates three dedicated tunnels\u2014one for each service\u2014while administrators centrally define routing and policy rules. GSA consists of:<\/p>\n\n\n\n