Ditch the VPN: How Microsoft’s Global Secure Access is Changing Remote Connectivity

2025 has been a rough year for VPNs.

We’ve seen breaches at major vendors, clunky user experiences, and a constant flood of helpdesk tickets from frustrated users. Yet, many businesses still rely on VPNs because their legacy line-of-business applications and on-prem file shares haven’t made the move to the cloud.

But what if you could ditch VPNs entirely while still letting users securely access on-prem resources, without the lag, without the tickets, and without the risk?

That’s exactly what Microsoft’s new Global Secure Access (GSA) brings to the table, a modern, identity-driven replacement for VPNs built right into the Microsoft 365 ecosystem.

What is Global Secure Access?

Global Secure Access is Microsoft’s Security Service Edge (SSE) solution, combining Zero Trust Network Access (ZTNA) and cloud-based security filtering to protect both cloud and on-prem resources.

Traditionally, organizations used VPNs to connect users to internal systems behind a firewall. Once inside the network, those users often had wide-open access, which attackers love. As we’ve seen with recent breaches and attacks on VPNs, they also present an attack vector that attackers can exploit. 

GSA changes this by routing traffic through Microsoft’s secure edge and using Entra ID (Azure AD) as the central identity plane for everything: Microsoft 365, internet access, and even your on-prem apps.

That means you can now apply Conditional Access to your internal applications and resources, something VPNs could never do.

Think of Global Secure Access as a traffic controller for your endpoints. You install a lightweight client on user devices (via Intune, GPO, or your RMM), and that client decides, based on admin-defined rules, where traffic should go:

• Microsoft 365 Traffic: Routed directly and securely to Microsoft cloud services.

• Internet Access: Routed through Microsoft’s filtering edge for policy enforcement.

• Private Access: Securely connects users to on-prem resources without needing a VPN tunnel.

With GSA, your identity policies extend everywhere, whether a user is connecting to SharePoint, Outlook, a legacy payroll app, or a network file share.

Example 1: Blocking Evilginx/Phishing (Adversary-in-the-Middle Attacks)

One of the most common modern attacks is token theft, where an attacker tricks a user into logging into a fake Microsoft page to steal their session token, even bypassing MFA.

Using Global Secure Access, you can require traffic to originate from the GSA client via Conditional Access. That means when someone tries to log in through a fake page or a non-trusted network, the session is blocked before the token ever gets stolen.

In testing, this approach successfully stopped an Evilginx man-in-the-middle attack, proving that GSA can prevent real-world identity theft scenarios.

Example 2: Blocking Shadow AI and Unsafe Web Content

With the Internet Access profile, admins can enforce web content filtering policies, like blocking access to generative AI sites (ChatGPT, Claude, etc.) or unapproved storage platforms (Dropbox, Box, etc.).

You can block categories like:

• Artificial Intelligence Tools

• Gambling or Hacking Sites

• Personal Cloud Storage

…and much more.

This feature helps reduce Shadow IT and data leakage, especially valuable as AI tools become ubiquitous. 

Example 3: Securely Access On-Prem File Shares (Without VPN)

This is where the magic happens.

Using the Private Access connector, you can install a lightweight agent on your on-prem server, for example, your file server or domain controller. That connector establishes a secure, identity-bound tunnel between Microsoft’s edge and your on-prem environment.

From there, you can define which internal applications or shares are accessible (for example, a payroll app or a single SMB share). Users can then securely connect to those resources even if their device isn’t domain-joined or directly connected to the corporate network.

No VPN. No split tunneling. No attack surface exposure.

And because it all runs through Entra ID, you can even layer Conditional Access, like requiring MFA, compliant devices, or specific user groups.

Licensing and Requirements

You can start using parts of Global Secure Access today if you already have:

• Microsoft Entra ID P1 or P2 (included with Microsoft 365 Business Premium)

• Optional Entra Suite Add-on for full Internet and Private Access profiles

• Devices need to be Entra Joined or Hybrid joined. 

The base Microsoft 365 traffic profile is available with P1/P2, while Internet and Private Access require an additional GSA license or Entra Suite upgrade.

Microsoft Entra Plans and Pricing | Microsoft Security

Final Thoughts

Microsoft’s Global Secure Access is one of the most exciting evolutions in the Microsoft 365 security ecosystem. It’s not just a VPN replacement, it’s a step toward identity-driven networking.

If you’re an MSP or IT admin, this is your chance to modernize remote access, reduce risk, and simplify your environment.