Global Secure Access (GSA) is easy to misunderstand because it looks like a network product.
There’s a client. There are connectors. Traffic flows somewhere else. The instinct is to treat it like a VPN refresh and design the end state up front. That instinct is also how teams end up with oversized blast radii and no clean rollback.
This post takes a different position: a successful GSA rollout behaves more like introducing a new control plane than replacing old plumbing. The goal here is not completeness. It’s observability, reversibility, and learning fast.
The Mental Model
The common assumption:
You must model all access paths before enabling Global Secure Access.
Why it misleads:
GSA is policy‑driven software that happens to move packets. Its failure modes are not link failures or route leaks they’re policy mismatches, connector health issues, and identity gaps.
A minimum viable implementation (MVP) should therefore:
- Limit who is affected
- Limit what traffic is touched
- Expose operational behaviour early
If your first deployment can’t be safely undone in minutes, it’s too big.
How It Really Works (MVP View)
At runtime, the GSA client classifies traffic locally and forwards selected flows to Microsoft’s Security Service Edge (SSE). Decisions are enforced using Conditional Access signals before traffic reaches Microsoft 365, the internet, or a private app.
Private Access extends this model by introducing connectors that only ever make outbound connections. No inbound exposure, no implicit network reachability.
This is not network extension. It’s identity‑mediated brokering.
MVP Traffic Flow Overview
GSA Client] -->|M365 & Internet| SSE[Microsoft Security Service Edge] SSE -->|Policy Allowed| Internet[Internet / Microsoft 365] User -->|Private App FQDN| SSE SSE -->|Authorised| Connector[Private Network Connector] Connector --> App[Private Application] Connector -.->|Outbound HTTPS Only| SSE
This diagram is intentionally boring. That’s the point. Complexity lives in policy, not topology.
MVP Scope and Explicit Non‑Goals
In scope
- Microsoft 365 traffic
- Limited internet access
- One private application
- Windows devices only
Explicitly out of scope
- Full VPN replacement
- Broad internet inspection
- Application portfolios
- Non‑HTTP legacy protocols
Deferring these is not a limitation. It’s an architectural choice.
Step 1 – Enable Global Secure Access
In the Microsoft Entra admin centre:
- Navigate to Global Secure Access → Settings
- Enable Global Secure Access
Nothing routes yet. This is a control‑plane activation, not a traffic change.
Step 2 – Define a Constrained Pilot
Create a security group:
GSA-MVP-Pilot
This group is your blast radius. If you can’t clearly articulate why someone belongs here, they don’t.
Step 3 – Enable Secure Access Traffic Profiles
Under Traffic forwarding:
- Enable Microsoft 365
- Enable Internet Access
- Leave advanced inspection features disabled
At this stage, enabling profiles without clients deployed changes nothing a useful property when rolling out safely.
Step 4 – Deploy the GSA Client (Windows)
Deploy the Global Secure Access client via Microsoft Intune and assign it to GSA-MVP-Pilot.
This step matters less for how it’s done and more for what it enables: device‑level traffic classification that participates in Conditional Access decisions.
If the client doesn’t connect reliably, stop. Everything else depends on this.
Step 5 – Validate Secure Access First
Before touching Private Access:
- Confirm Microsoft 365 works as expected
- Confirm internet access behaves normally
- Inspect Global Secure Access traffic logs
You’re validating signal quality, not just connectivity.
If Secure Access isn’t observable and predictable, Private Access will amplify the confusion.
Step 6 – Deploy Private Network Connectors
Deploy at least two connectors per location:
- Windows Server
- Outbound HTTPS only
- Close to the application, not the users
Connector health is now part of your application’s availability story. Treat it that way.
Step 7 – Publish a Single Private Application
In Private Access → Applications:
- Define the application by FQDN and port
- Avoid CIDR‑based definitions
- Assign access to
GSA-MVP-Pilot
Red flags for MVP inclusion:
- Hard‑coded IP dependencies
- Embedded DNS assumptions
- Latency‑sensitive chatty protocols
Some apps are simply bad first candidates. Excluding them is a design decision, not a failure.
Step 8 – Enforce Conditional Access
Create a Conditional Access policy scoped to:
- Users:
GSA-MVP-Pilot - Cloud app: Global Secure Access
Require:
- Compliant device
- MFA
Without this, you’re proxying traffic not governing access.
Step 9 – Validate Private Access Behaviour
From a pilot device:
- Access the private app via its FQDN
- Confirm authentication flow
- Monitor connector metrics and sign‑ins
Expect additional latency compared to on‑network access. The trade‑off is explicit control and visibility.
If that trade‑off is unacceptable for a given app, that’s valuable information early.
Gotchas That Actually Matter
- Connector resource starvation looks like “random slowness”
- DNS mismatches fail silently
- Policy changes can have wider impact than expected
- Break‑glass access paths must be planned, not improvised
These are operational problems, not configuration mistakes.
Best Practices for Moving Beyond MVP
- Expand users slower than applications
- Add connectors before you need them
- Version and review policy changes
- Monitor GSA like an application dependency
At scale, this is an access platform, not a feature.