Last Updated on May 23, 2026 by Arnav Sharma
If you have been researching Microsoft’s zero trust network access offering and found yourself confused by “Global Secure Access,” “Entra Private Access,” and “Internet Access” all appearing in the same sentence, you are not alone. The naming is genuinely confusing, even for architects who work in the Microsoft ecosystem daily. This article cuts through the terminology and gives you a clear, practitioner-level breakdown of how Microsoft Entra Private Access and Global Secure Access relate to each other, what each component actually does, and how to decide what you need for your environment.
The Short Answer: GSA Is the Platform, Private Access Is a Component
Global Secure Access (GSA) is the umbrella platform name. It is the unified administrative surface inside the Microsoft Entra admin center where Microsoft’s Security Service Edge (SSE) solution lives. Global Secure Access contains two distinct services: Microsoft Entra Internet Access and Microsoft Entra Private Access. You cannot deploy either service independently of the GSA framework, but you can license and enable only the component you need.
Think of it this way: Global Secure Access is the container and the policy engine. Entra Private Access is the Zero Trust Network Access (ZTNA) service inside that container. Entra Internet Access is the Secure Web Gateway (SWG) service inside that same container.
When people say “Entra Private Access vs Global Secure Access,” what they typically mean is: “When do I need just the ZTNA component, and when do I need the full SSE stack?”
What Is Global Secure Access?
Global Secure Access is Microsoft’s Security Service Edge solution, delivered from Microsoft’s global Wide Area Network spanning 70 regions and more than 190 network edge locations. It is built on Zero Trust principles: verify explicitly, use least privilege, and assume breach. GSA converges network access control with identity, device posture, and session risk signals that Entra ID already collects.
GSA is not a standalone product you buy independently. It is the administrative home for two licensed services, with a shared component (the Global Secure Access Client) that forwards traffic to whichever profiles you have enabled.
Microsoft Entra Internet Access
Microsoft Entra Internet Access is the SWG component. It handles outbound traffic to internet destinations and SaaS applications. It applies identity-centric network controls to web traffic, enforcing Conditional Access policies for sites and services that are not federated with Entra ID. Key capabilities include:
- Web content filtering by category and FQDN
- Universal Tenant Restrictions to block data exfiltration to foreign Microsoft tenants
- TLS inspection (public preview as of mid-2025) for visibility inside encrypted sessions
- Shadow AI discovery to surface unsanctioned AI tool usage
- Prompt injection protection for AI gateway scenarios
- Microsoft 365 traffic profile, which routes M365 traffic directly over Microsoft’s backbone for improved performance and resilience
One important licensing note: the Microsoft services traffic profile (covering M365 enriched logs, Compliant Network check, and Universal Tenant Restrictions) is included in any Microsoft Entra ID P1 or P2 license at no additional cost. The full Internet Access capability (web filtering, FQDN filtering, contextual network security) requires a standalone Internet Access license or the Entra Suite.
Microsoft Entra Private Access
Microsoft Entra Private Access is the ZTNA component. It handles inbound connections to private, internal, and on-premises resources. Instead of granting users access to an entire network segment (as a traditional VPN does), Private Access lets you define exactly which applications, IP ranges, and FQDNs users can reach, and enforces Conditional Access on every connection request.
This is the service you deploy when you want to replace or supplement a legacy VPN with a modern, identity-aware access model.
The Global Secure Access Client
The Global Secure Access Client is the endpoint software that sits on user devices and forwards traffic to whichever traffic profiles you have enabled. It uses a lightweight filter (LWF) driver, not a VPN tunnel, which means it can coexist with existing VPN solutions during migration periods. The client authenticates the user to the Entra ID tenant and attaches identity claims to every forwarded request, so GSA always has the context it needs to evaluate access policies.
The client is available for Windows (Entra-joined or Hybrid-joined only) and Android. Support for additional platforms continues to expand. Importantly, the client must be deployed and managed separately from any Microsoft 365 license.
What Is Microsoft Entra Private Access?
Microsoft Entra Private Access provides identity-aware, per-resource access to private corporate resources, whether those resources sit in an on-premises data center, a hybrid environment, or a private cloud. It builds on the foundation of Microsoft Entra Application Proxy and extends it to any private resource, any port, and any protocol.
Remote users do not need to connect to a VPN to reach internal resources. With the Global Secure Access Client installed, the connection to private resources is transparent and seamless. The service brokers the connection via an outbound-only tunnel from a lightweight connector in your environment to Microsoft’s edge, so there are no inbound firewall ports to open.
How It Replaces a Traditional VPN
Traditional VPN solutions give users broad network access. Once connected, a user (or an attacker who has compromised a user account) can see and potentially reach any resource on the network that is not explicitly blocked. This flat access model is fundamentally incompatible with Zero Trust principles.
Entra Private Access enforces the principle of least privilege at the protocol level. Access is scoped to specific FQDNs, IP addresses, IP ranges, and port/protocol combinations. Every access request is evaluated against Conditional Access policies before the connection is established. If a user’s device falls out of compliance or their risk score increases, access can be revoked in real time via continuous access evaluation.
Microsoft’s own internal GSA deployment described the architectural shift clearly: instead of granting broad visibility into the entire internal network, access is now scoped to a user’s identity, so employees only connect to the resources defined for them.
Legacy protocols that traditionally required VPN, including Kerberos, NTLM, RDP, and SMB, are supported. You can enforce MFA and device compliance checks even for these older protocols, which is something a standard VPN cannot do natively.
Quick Access vs Per-App Access
Private Access gives you two configuration models. Understanding the difference is critical for deployment planning.
Quick Access is the primary group of FQDNs, IP addresses, and IP ranges that you always want to tunnel through the service. It is a single, shared enterprise application in Entra that you configure once. Think of Quick Access as the bulk migration path: you import your existing network access list (the subnets and names your VPN currently handles), assign users and groups, and apply a base set of Conditional Access policies. Quick Access is the fastest way to get Private Access running for your entire user base.
Per-App Access (Global Secure Access Apps) provides a more granular approach. You create separate enterprise applications, each scoping a subset of private resources. This model is the right choice when:
- Different user groups need different Conditional Access policies for different resources (for example, finance users accessing the payroll system require MFA plus compliant device, while standard users accessing file shares only require compliant device)
- You have a time-limited project group that needs temporary access to a specific resource
- You want to segment access for contractors or third-party partners without exposing them to your broader Quick Access scope
- You are working toward a mature zero trust posture where every application has its own access policy
In practice, most organizations start with Quick Access to achieve parity with their existing VPN, then progressively migrate resource groups into per-app access as they refine their Conditional Access policies.
The Private Network Connector Architecture
The Entra Private Network Connector is a lightweight agent you install on a Windows Server in your on-premises environment or private network. It creates an outbound-only persistent connection to Microsoft’s edge. There is no inbound firewall rule required. This architecture removes the need to expose internal resources to the internet or maintain a DMZ appliance.
You can deploy multiple connectors and group them into Connector Groups for high availability and geographic distribution. A connector group can serve multiple Quick Access or per-app access applications, and connectors within a group load-balance automatically. For resilience, Microsoft recommends at least two connectors per group.
The connector supports all TCP and UDP protocols, which is a significant improvement over Application Proxy (which was HTTP/HTTPS only). This broad protocol support is what makes Private Access viable for replacing VPN access to resources like domain controllers, file servers, and database endpoints.
How Conditional Access Ties Everything Together
Conditional Access is the policy engine that makes GSA more than just a connectivity tool. It is what separates a Zero Trust architecture from a VPN with extra steps.
When a user request arrives at a Quick Access or per-app access application, GSA evaluates the applicable Conditional Access policies before establishing the connection. The policy engine checks:
- User and group membership: Is this user assigned to this application?
- Device compliance: Is the device managed and compliant per Intune policies?
- Sign-in risk: Is the user’s session flagged as risky by Entra ID Protection?
- MFA status: Has the user completed the required authentication strength?
- Network location: Is the Compliant Network check enforced?
This evaluation happens at every connection attempt, not just at initial authentication. Continuous access evaluation means that if a device loses compliance mid-session (for example, because endpoint detection triggers a high-severity alert), access can be revoked without waiting for a token refresh cycle.
For organizations already using Conditional Access to protect Microsoft 365 and cloud apps, extending the same policies to private resources is a significant operational advantage. You manage access control from a single policy model, not from separate VPN group policies, firewall rules, and application-level controls.
The ability to apply Conditional Access to legacy protocols (Kerberos, NTLM) through Private Access is particularly valuable. Most organizations have substantial on-premises infrastructure that cannot be federated with Entra ID directly. Private Access acts as the identity-aware broker for those resources, enforcing modern access controls on traffic that previously bypassed them entirely.
Comparison Table: Private Access vs Internet Access vs Traditional VPN
| Feature | Entra Private Access | Entra Internet Access | Traditional VPN |
|---|---|---|---|
| Primary use case | Secure access to internal/private resources | Secure outbound web and SaaS traffic | Network-level remote access |
| Access model | Per-resource (FQDN, IP, port) | Per-destination (URL, category, domain) | Full network segment |
| Conditional Access enforcement | Yes, per application | Yes, per destination | No native CA integration |
| Inbound firewall ports required | No (outbound connector) | No | Yes (VPN endpoint) |
| Legacy protocol support | Yes (TCP + UDP) | N/A | Yes |
| MFA on legacy protocols | Yes | Yes | Limited/none |
| Coexists with existing VPN | Yes | Yes | N/A |
| Client required | Yes (Global Secure Access Client) | Yes (Global Secure Access Client) | Yes (VPN client) |
| Admin portal | Entra admin center | Entra admin center | Separate appliance/vendor portal |
| Lateral movement risk | Low (least-privilege by design) | N/A | High (flat network access) |
| Licensing | P1 + Private Access add-on or Entra Suite | P1 + Internet Access add-on or Entra Suite | Separate VPN infrastructure cost |
Licensing: What You Actually Need
Licensing for Global Secure Access trips up a lot of organizations. Here is a clear breakdown as of 2026.
Microsoft Entra ID P1 or P2 is a prerequisite for all GSA services. P1 is included in Microsoft 365 E3, F1, F3, and Business Premium. P2 is included in Microsoft 365 E5.
P1 or P2 alone gives you access to the Microsoft services traffic profile (M365 enriched logs, Compliant Network check, Universal Tenant Restrictions) inside GSA at no extra cost. This is a meaningful capability but does not include Private Access or full Internet Access.
To enable Microsoft Entra Private Access, you need one of:
- Standalone Private Access license: $5/user/month (on top of existing P1 or P2)
- Entra Suite: $12/user/month, which bundles Private Access, Internet Access, Entra ID Governance, Entra ID Protection (P2-tier features), and Verified ID premium
The Entra Suite is typically the better value for organizations that need both Private Access and Internet Access (or that are approaching the P2 feature set). Buying them individually costs at least $17/user/month on a P1 base. The Entra Suite at $12 undercuts that by a significant margin.
As of May 2026, Microsoft 365 E7 ($99/user/month, generally available from May 1, 2026) is the first M365 plan to include the complete Entra Suite, making it the natural landing zone for enterprises that want the full GSA stack as part of their M365 agreement.
Licensing decision guidance at a glance:
- You have M365 E3 and want Private Access only: add the $5/user/month standalone Private Access license
- You want both Private Access and Internet Access: Entra Suite at $12/user/month is better value than buying both standalone products
- You already have M365 E5 (P2 included): add Entra Suite as an add-on at $9/user/month (P2 is already in your E5)
- You are on M365 E7 (generally available May 2026): Entra Suite is already included
When to Use Private Access Alone vs the Full GSA Stack
Use Private Access standalone (without Internet Access) when:
- Your primary driver is VPN replacement or supplementation for internal application access
- You have an existing third-party SWG or web filtering solution you are not ready to replace
- Your budget limits you to the $5/user add-on rather than the full Entra Suite
- You are in an early Zero Trust maturity phase and want to focus on private resource access before tackling internet traffic policy
Use the full GSA stack (Private Access plus Internet Access) when:
- You want a single vendor SSE solution under one management plane
- You need to enforce Conditional Access for internet-bound traffic, not just internal app access
- You want TLS inspection, web content filtering, and shadow IT/AI discovery
- You are migrating away from a legacy SWG appliance and want to consolidate
- You are targeting Microsoft 365 E7 or the Entra Suite as your license level
Important consideration for domain-joined endpoints: Devices that are domain-joined only (not Entra-joined or Hybrid-joined) cannot run the Global Secure Access Client. Domain-joined only environments require Hybrid Azure AD Join before Private Access can be deployed. This is a common blocker in organizations with mature on-premises Active Directory footprints and is worth assessing before committing to a deployment timeline.
Deployment Considerations for Microsoft Environments
Device Requirements and the GSA Client
The Global Secure Access Client supports Windows (Entra-joined or Hybrid-joined) and Android. The client uses a lightweight filter driver rather than a VPN tunnel, so it coexists cleanly with existing VPN clients during phased migrations. You can deploy the client via Microsoft Intune, Group Policy, or your RMM tooling.
For BYOD scenarios, Microsoft introduced Private Access BYOD support (public preview as of early 2026), which allows unmanaged devices to reach private apps through a browser-based flow rather than requiring the full client installation. This opens the door to contractor and external partner access scenarios that previously required either a full Entra-joined device or a guest VPN arrangement.
For branch office scenarios, GSA supports Remote Network Connectivity: a site-to-site IPsec tunnel from your branch gateway to Microsoft’s edge, which routes branch traffic through the GSA policy engine without requiring the client on every device. This requires a minimum of 50 combined P1 and Internet Access licenses per tenant.
Integration with Microsoft 365 and Intune
For organizations already using Microsoft Intune for device management and Microsoft Defender for Endpoint for threat protection, GSA integrates without additional infrastructure. Device compliance signals from Intune feed directly into Conditional Access policy evaluation for both Private Access applications and Internet Access destinations. Defender for Endpoint risk scores contribute to sign-in risk evaluation, enabling real-time access revocation when endpoint telemetry detects a compromise.
Traffic logs from both Private Access and Internet Access are surfaced in the Entra admin center and can be ingested into Microsoft Sentinel for SIEM correlation. If you are already running Sentinel for security operations, GSA enriches your signal set: you get network-layer visibility (what resources users are accessing, which protocols, what volumes) correlated with identity context (which user, which device, what risk level) in the same data pipeline.
The Microsoft 365 traffic profile routes M365 traffic directly over Microsoft’s private backbone, which typically improves performance and resilience for Teams, SharePoint, and Exchange Online compared to general internet routing. Enabling this profile requires only P1 and no additional license, making it a fast win worth prioritizing early in any GSA deployment.
I help organisations secure their cloud infrastructure and stay ahead of evolving cyber threats. Microsoft MVP and Certified Trainer, author of Mastering Azure Security, and founder of arnav.au — a platform for practical Cloud, Cybersecurity, DevOps and AI content.