Chris Brumm's Blog

🆕 This is the updated version of my blog about Entra Private Access for Active Directory for Domain Controllers. You can find the old version → here ←. New features include the central admin UI and logging! Intro In many environments - often for historical reasons - there is no strict separation of client and server networks. And if there is a firewall between the networks, the rule sets often allow direct communication with the domain controllers in the environment.

One of the many announcements at Ignite (somewhat away from the AI hype) is the long-awaited B2B support for Global Secure Access. It combines Entra B2B, such as cross-tenant access policies, with the features of GSA, enabling an excellent user experience while also providing a very high level of security. Use cases for B2B access When planning the replacement of legacy VPNs, the issue repeatedly arises that the VPN is not only used by employees with managed devices, but also provides access for service providers and consultants, for example.

Global Secure Access (GSA) enforces that all client traffic is routed through the cloud before reaching the target resource via Private Network Connectors—even if both endpoints are in the same building or network. This design ensures that security controls are consistently applied. However, not every location has the connectivity of Coruscant; some sites feel more like the Outer Rim—and in Germany, bandwidth limitations can appear quickly. To cope, many users have resorted to disabling the GSA client when on the corporate LAN, a behavior familiar from traditional VPN clients.

In many environments - often for historical reasons - there is no strict separation of client and server networks. And if there is a firewall between the networks, the rule sets often allow direct communication with the domain controllers in the environment. Although a conversion makes a lot of sense, it is often not possible quickly, because various services like GPOs or Kerberos rely on this communication and a client modernization project takes time and effort.

Since the release of Entra Private Access, I have been getting more and more questions about the future of the Entra App Proxy. Will it still be needed? Should I still use it? Are there synergies or incompatibilities? This blog post is dedicated to these very questions and is part of my series on Global Secure Access Overview to Global Secure Access Global Secure Access in Conditional Access Deep Dive DNS in Entra Private Access Deep Dive SSO in Entra Private Access Entra Private Access and the future of the Entra App Proxy Do I still need the App Proxy?