Securing the Modern Workforce: Microsoft Entra Global Secure Access and the Future of Network Security

Embracing the New Work Era with Microsoft Entra Global Secure Access

The workplace has evolved significantly. Employees are no longer bound to traditional office settings and now work from virtually anywhere. This shift, coupled with the migration of applications and data to the cloud, demands a modern, identity-aware, and cloud-delivered network perimeter tailored to today’s workforce. Introducing Security Service Edge (SSE) – a groundbreaking network security category designed to meet these new challenges.

Microsoft Entra Global Secure Access: Redefining Security Service Edge

At the core of Microsoft’s Security Service Edge (SSE) solution are Microsoft Entra Internet Access and Microsoft Entra Private Access. Together, they form Microsoft Entra Global Secure Access—a centralized hub within the Microsoft Entra admin center. Built on Zero Trust principles—verify explicitly, use least privilege access, and assume breach—Global Secure Access unifies and seamlessly integrates network, identity, and endpoint access controls.

Image Source: Microsoft

Unified Access Control for Modern Organizations

Microsoft Entra Internet Access and Microsoft Entra Private Access, in tandem with Microsoft Defender for Cloud Apps, converge to provide comprehensive network security. This solution simplifies access policy management and enables real-time access orchestration for employees, partners, and workloads. With continuous monitoring and dynamic adjustments based on user risk levels, Global Secure Access ensures secure access to any app or resource, from anywhere.

Delivered through Microsoft’s expansive Wide Area Network, spanning 140+ regions and 190+ network edge locations, Global Secure Access optimally connects users and devices to public and private resources securely. A unified portal streamlines the rollout and management of these capabilities, providing organizations with a simplified and efficient access control system.

Microsoft Entra Internet Access: Securing Internet and SaaS Apps

Microsoft Entra Internet Access protects internet and SaaS application access, shielding organizations from threats such as malicious traffic and unsafe content. This identity-centric secure web gateway (SWG) integrates seamlessly with Conditional Access to enforce rich context-aware policies.

Key Features:

• Acquire network traffic via user-aware profiles from desktop clients or remote networks.
• Access detailed network traffic logs and dashboards, including relationship maps and top destinations.
• Protect users from internet threats with Microsoft’s cloud-delivered SWG solution.
• Enable web content filtering based on categories or domain names.
• Apply Conditional Access policies universally to all internet destinations, even non-federated ones.

For Microsoft Services:

Microsoft Entra Internet Access enhances security and performance for Microsoft services with direct connectivity and features such as Universal Tenant Restrictions, detailed traffic logs, and streamlined Conditional Access policies.

Microsoft Entra Private Access: Secure Access to Private Resources

Microsoft Entra Private Access provides secure, Zero Trust-based access to corporate resources for users working remotely or on-premises. By eliminating the need for legacy VPNs, this solution modernizes private access with Conditional Access integration and adaptive policies.

Key Features:

• Zero Trust-based Quick Access to IP addresses and FQDNs.
• Per-app access for TCP and UDP applications.
• Seamless traffic acquisition and co-deployment with existing SSE solutions.
• Modernized legacy app authentication with Conditional Access integration.

Remote Network Connectivity with Microsoft Entra Global Secure Access

Global Secure Access offers two primary connectivity options: installing a client on end-user devices and configuring a remote network, such as a branch location equipped with a physical router. Remote network connectivity simplifies how end-users and guests connect from remote networks without needing to install the Global Secure Access Client.

What is a Remote Network?

Remote networks are external locations or setups that require secure internet connectivity. For example, organizations with headquarters and branch offices in various geographic regions rely on remote networks to access corporate data and services. These branch offices need a secure way to communicate with data centers, headquarters, and remote workers, making the security of remote networks essential.

Typically, remote networks like branch offices connect to corporate networks through dedicated Wide Area Networks (WANs) or Virtual Private Network (VPN) connections. Employees use customer premises equipment (CPE) to connect to these networks.

Current Challenges of Remote Network Security

• Bandwidth Limitations: The exponential growth of devices requiring internet access has strained traditional networks, which are challenging to scale. The rise of SaaS applications like Microsoft 365 has increased demands for low-latency, jitter-free communication, which legacy technologies like WAN and MPLS struggle to support.
• High IT Costs: On-premises firewalls require dedicated IT teams for setup and maintenance. Deploying IT staff at every branch location is expensive and inefficient.
• Evolving Threats: Malicious actors increasingly target edge devices in branch or home offices, making them vulnerable entry points for attacks.

How Does Remote Network Connectivity Work?

To connect a remote network to Global Secure Access, an Internet Protocol Security (IPSec) tunnel is established between on-premises equipment and the Global Secure Access endpoint. Specified traffic is routed through the IPSec tunnel to the nearest Global Secure Access endpoint, where security policies configured in the Microsoft Entra admin center are applied.

While Global Secure Access remote network connectivity secures communication between the remote network and the Global Secure Access service, it does not establish a secure connection between multiple remote networks.

Why Remote Network Connectivity Matters

Securing corporate networks is increasingly complex in an era of remote work and distributed teams. Security Service Edge (SSE) ensures that users can access corporate resources from anywhere without routing traffic back to headquarters. Remote network connectivity addresses various organizational concerns:

• No Client Installation on Thousands of Devices: Instead of installing clients on every device at branch locations, remote network connectivity allows an IPSec tunnel between the branch office’s core router and the Global Secure Access endpoint. This eliminates the need for individual client installations while ensuring secure traffic routing.
• Support for Devices Without Clients: Certain devices—like Linux systems, mainframes, cameras, and printers—cannot have clients installed. Remote network connectivity ensures all traffic originating from such devices is monitored and secured.
• Guest Devices on the Network: Guest devices often lack the required client software. Remote network connectivity ensures that all outgoing traffic from guest devices adheres to security policies by default, without requiring client installations.

Licensing Overview

Microsoft Entra’s Global Secure Access solutions are now generally available with flexible licensing options:

• Microsoft Entra Internet Access for Microsoft Services: Included in Microsoft Entra ID P1 or P2 licenses.
• Microsoft Entra Internet Access: Available standalone or as part of the Microsoft Entra Suite.
• Microsoft Entra Private Access: Available standalone or as part of the Microsoft Entra Suite.

To use these solutions, an active Microsoft Entra ID P1 or P2 license is required.

Remote Network Licensing

While the licensing model for remote networks is still being finalized, Microsoft is committed to providing up-to-date guidance to ensure optimal performance for your Microsoft traffic deployment. For best results, Microsoft recommends allocating 250 Mbps of bandwidth for every 1,250 users accessing Microsoft traffic. If usage exceeds these recommended limits, additional charges may apply to accommodate the increased bandwidth requirements.

Learn More:

For more information about licensing costs and the Microsoft Entra Suite, visit Microsoft Entra Plans & Pricing. Embrace the power of Microsoft Entra Global Secure Access to secure your modern workforce and stay ahead in today’s digital landscape.

For a step-by-step guide on configuring Entra Private Access, please refer to my blog post: Microsoft Entra Private Access Configuration.