Unit 2: Explore Global Secure Access

What Global Secure Access Is

Global Secure Access merges network security, identity security, and endpoint awareness into a single cloud-based solution. It allows organizations to control access to:

• Microsoft services.
• SaaS applications.
• Public internet destinations.
• Private corporate resources.

All access is delivered over Microsoft’s global private wide-area network, reducing reliance on public internet routing and improving both security and performance.

Management is centralized through a unified portal, allowing administrators to monitor access, enforce policies, and respond to risk in near real time.

Microsoft Entra Internet Access

Microsoft Entra Internet Access secures access to Microsoft services, SaaS apps, and public internet destinations using a cloud-delivered Secure Web Gateway (SWG).

Instead of relying on on-premises proxies, Internet Access uses identity-centric and device-aware controls to protect traffic.

Key Capabilities

• Prevent stolen token replay attacks using compliant network checks.
• Apply universal tenant restrictions to prevent data exfiltration.
• Enrich logs with network and device signals.
• Improve risk assessment accuracy for users, locations, and devices.
• Capture traffic from client devices or remote networks.
• Regulate web access based on content categories and domains.
• Apply Conditional Access policies consistently across internet traffic.

Internet Access effectively replaces traditional web proxies with a Zero Trust-aligned solution.

Microsoft Entra Private Access

Microsoft Entra Private Access provides secure access to private corporate resources, such as:

• On-premises applications.
• Private cloud workloads.
• Line-of-business applications.

Private Access extends the capabilities of Microsoft Entra Application Proxy, allowing access to any port and protocol, not just HTTP-based apps.

Users can access private resources without a VPN, from any device or location, while still enforcing Conditional Access.

Key Capabilities

• Zero Trust access to private IP addresses and FQDNs.
• Modern authentication for legacy applications.
• Per-application adaptive access.
• Side-by-side deployment with existing SSE solutions.

Prerequisites

Before deployment, ensure the following.

Licensing:

• Microsoft Entra ID P1 or P2.
• Microsoft Entra Internet Access and/or Private Access license.

Roles:

• Global Secure Access Administrator.

Planning:

• Review Zero Trust guidance before implementation.