Chris Brumm's Blog

One of the many announcements at Ignite (somewhat away from the AI hype) is the long-awaited B2B support for Global Secure Access. It combines Entra B2B, such as cross-tenant access policies, with the features of GSA, enabling an excellent user experience while also providing a very high level of security. Use cases for B2B access When planning the replacement of legacy VPNs, the issue repeatedly arises that the VPN is not only used by employees with managed devices, but also provides access for service providers and consultants, for example.

Global Secure Access (GSA) enforces that all client traffic is routed through the cloud before reaching the target resource via Private Network Connectors—even if both endpoints are in the same building or network. This design ensures that security controls are consistently applied. However, not every location has the connectivity of Coruscant; some sites feel more like the Outer Rim—and in Germany, bandwidth limitations can appear quickly. To cope, many users have resorted to disabling the GSA client when on the corporate LAN, a behavior familiar from traditional VPN clients.

In many environments - often for historical reasons - there is no strict separation of client and server networks. And if there is a firewall between the networks, the rule sets often allow direct communication with the domain controllers in the environment. Although a conversion makes a lot of sense, it is often not possible quickly, because various services like GPOs or Kerberos rely on this communication and a client modernization project takes time and effort.

Since the release of Entra Private Access, I have been getting more and more questions about the future of the Entra App Proxy. Will it still be needed? Should I still use it? Are there synergies or incompatibilities? This blog post is dedicated to these very questions and is part of my series on Global Secure Access Overview to Global Secure Access Global Secure Access in Conditional Access Deep Dive DNS in Entra Private Access Deep Dive SSO in Entra Private Access Entra Private Access and the future of the Entra App Proxy Do I still need the App Proxy?

A few days ago, Microsoft announced that Global Secure Access is now generally available. Since I have been working with the product for some time now and more and more proof of concepts are being launched, it is high time for me to do a blog series about it. Here is an overview of the parts (planned so far): Overview to Global Secure Access Global Secure Access in Conditional Access Deep Dive DNS in Entra Private Access Deep Dive SSO in Entra Private Access Entra Private Access and the future of the Entra App Proxy With the addition of both UDP and DNS support to Entra Private Access, the vast majority of scenarios that VPN has been used for in the past can be covered - including Single Sign On with Kerberos.