Microsoft Global Secure Access and M365 Business Premium

What is Microsoft Global Secure Access (GSA)?

Microsoft Global Secure Access is Microsoft’s Security Service Edge (SSE) solution. Think of it as a modern, cloud-native security perimeter that helps organizations secure access to any application or resource, regardless of where the user or the resource is located. It’s part of the broader Microsoft Entra product family (which also includes Entra ID, formerly Azure AD).

GSA converges networking and security capabilities, moving away from traditional perimeter-based security (like on-premises firewalls and VPNs) towards a model centered on identity and delivered from Microsoft’s global network edge.

It primarily consists of two core services:

1. Microsoft Entra Internet Access: Secures access to the public internet, SaaS applications, and Microsoft 365 apps. It acts like a cloud-based Secure Web Gateway (SWG), filtering traffic, applying security policies, and protecting users from web threats.
   

2. Microsoft Entra Private Access: Provides secure, Zero Trust Network Access (ZTNA) to private corporate resources (applications hosted on-premises or in IaaS environments) without needing traditional VPNs.

Benefits of Microsoft Global Secure Access:

GSA offers significant advantages, especially for organizations embracing hybrid work and cloud adoption:

1. Enhanced Security Posture (Zero Trust Alignment):

   • Granular Access Control: Moves beyond simple network access (like VPNs grant) to application-level access based on strong identity verification (user, device health, location) enforced by Microsoft Entra Conditional Access.
     

   • Reduced Attack Surface: Eliminates the need to expose private applications directly to the internet or grant broad network access via VPNs. Users only get access to the specific resources they are authorized for.
     

   • Consistent Policy Enforcement: Apply unified security policies (like requiring MFA, compliant devices, etc.) across M365 apps, SaaS apps, internet browsing, and private resources.
     

   • Threat Protection: Entra Internet Access provides security features like web content filtering, malicious site blocking, and integration with Microsoft’s threat intelligence to protect users browsing the web.

2. Improved User Experience:

   • Faster & More Direct Access: Leverages Microsoft’s vast global network. Traffic is routed optimally to the nearest Microsoft Point of Presence (PoP) and then directly to the resource (M365, SaaS, internet, or private app via connector), often resulting in lower latency than backhauling traffic through a central VPN concentrator.
     

   • Seamless Connectivity: Users connect automatically via the GSA client without the often clunky manual connection process of traditional VPNs.
     

   • Works Anywhere: Provides consistent security and access experience whether the user is in the office, at home, or traveling.

3. Simplified Management & Operations:

   • Unified Console: Managed directly within the Microsoft Entra admin center alongside identity and other security settings.
     

   • Reduced Infrastructure Complexity: Eliminates or reduces the need to manage complex on-premises VPN concentrators, firewalls, and web proxies.
     

   • Cloud-Native Scalability: Scales automatically with your needs without requiring hardware upgrades.
     

   • Integrated Logging & Reporting: Provides centralized visibility into access patterns and security events across different resource types.

4. Cost Savings (Potential):

   • Consolidation: Can potentially replace multiple point solutions (VPN, SWG, ZTNA products) with a single integrated platform.
     

   • Reduced Infrastructure Costs: Lower operational overhead associated with managing on-premises security appliances.

5. Better Integration with Microsoft Ecosystem:

   • Deep Conditional Access Integration: GSA network conditions (like “compliant network”) can be used as signals within Conditional Access policies for richer context-aware authorization.
     

   • Leverages Entra ID: Builds directly on your existing identity foundation in Microsoft Entra ID.

Enabling Global Secure Access with M365 Business Premium License:

This is where it gets a bit nuanced, as licensing for GSA features has evolved. Here’s the breakdown relevant to M365 Business Premium:

1. Prerequisite – Microsoft Entra ID P1: M365 Business Premium includes Microsoft Entra ID P1. This is the foundational requirement for using Global Secure Access features.

2. Included Functionality (as of recent updates):

   • Microsoft Entra Internet Access for Microsoft 365 Traffic: A significant update (announced around May 2024) is that the capability to secure Microsoft 365 traffic (SharePoint Online, Exchange Online, Teams) through GSA, and use the source IP restoration feature, is now included with all Microsoft Entra ID licenses (Free, P1, P2). This means your M365 Business Premium license covers securing your M365 traffic via GSA and applying Conditional Access policies based on GSA signals for M365 apps.

3. Functionality Requiring Additional Licenses:

   • Microsoft Entra Internet Access for All Internet Traffic: To secure all outbound internet and SaaS app traffic (beyond just M365), you generally need a specific Microsoft Entra Internet Access license (available as P1 or P2 standalone add-ons). This provides the full SWG capabilities like web content filtering across all sites.

   • Microsoft Entra Private Access: To secure access to your private, on-premises, or IaaS-hosted applications, you need a Microsoft Entra Private Access license (available as P1 or P2 standalone add-ons).

   • Bundles: These GSA licenses are often bundled within higher-tier licenses like Microsoft 365 E3 or E5, or available for purchase separately.

   In summary for M365 Business Premium: You get the Entra ID P1 prerequisite and the ability to secure M365 traffic via GSA included. For full internet traffic protection or private app access, you typically need to purchase GSA-specific add-on licenses.

How to Enable and Configure (Assuming Necessary Licenses):

The enablement process happens within the Microsoft Entra admin center (entra.microsoft.com):

1. Prerequisites Check:

   • Ensure you have the necessary licenses (M365 Business Premium for the base + potentially GSA add-ons depending on your goals).
     

   • You need appropriate administrative roles (e.g., Global Administrator, Security Administrator, or the specific Global Secure Access Administrator roles).

2. Activate Global Secure Access:

   • Navigate to the Microsoft Entra admin center.
     

   • Go to Global Secure Access (Preview) in the left-hand navigation pane. (Note: It might still be labeled “Preview” even as features GA).
     

   • If it’s your first time, you might see an activation screen. Click Activate to enable the GSA features for your tenant.

3. Configure Traffic Forwarding Profiles:

   • Under Global Secure Access, go to Connect > Traffic forwarding.
     

   • Here you manage how client traffic gets sent to the GSA service. You’ll see profiles like:
     
     • Microsoft 365 profile: This is likely enabled by default if you have the appropriate license (like M365 BP). It directs M365 traffic through GSA.
       

     • Internet access profile: You need to explicitly enable this if you want all internet traffic forwarded (requires the Entra Internet Access license).
       

     • Private access profile: Enable this if you want to route traffic to private resources (requires the Entra Private Access license).

4. Deploy the Global Secure Access Client:

   • Under Global Secure Access, go to Connect > Client download.
     

   • Download the GSA client for Windows.
     

   • Deploy this client to your end-user devices (e.g., via Intune, included in M365 Business Premium). The client automatically captures traffic based on the enabled forwarding profiles and sends it to the GSA service edge.

5. Configure Internet Access Policies (If Licensed for Full Internet Access):

   • Navigate to Global Secure Access > Secure.
     

   • Web content filtering policies: Create policies to block specific categories of websites.
     

   • Security profiles: Link Conditional Access policies to enforce security requirements for internet access.

6. Configure Private Access (If Licensed):

   • This is more involved:
     
     • Install Connectors: Go to Connect > Connectors. Download and install the lightweight Entra Private Access Connector agent on a server(s) within your private network that has access to the target applications.
       

     • Configure Connector Groups: Organize your connectors.
       

     • Define Enterprise Applications: Go to Applications > Enterprise applications in Entra ID. Create/configure representations of your private apps.
       

     • Configure Quick Access or Global Secure Access Apps: Under Global Secure Access > Applications > Quick Access (for simple setup) or Global Secure Access Apps (for per-app configuration), define which private apps should be accessible via GSA and link them to the appropriate connector groups. Assign users/groups to these apps.

7. Integrate with Conditional Access:

   • Go to Protection > Conditional Access in the Entra admin center.
     

   • When creating or editing policies, under Conditions > Locations, you can now configure it to include “All Compliant Network locations“. This represents traffic coming through GSA.
     

   • You can create policies like “Require MFA if accessing App X unless connecting from a Compliant Network (GSA)”.

8. Monitor and Report:

   • Use the Monitor section within Global Secure Access to view traffic logs, connectivity health, and reports.

Important Considerations:

• Licensing is Key: Double-check the latest Microsoft licensing documentation or consult with a Microsoft partner/representative. Licensing details, especially for newer services like GSA, can change. What’s included in M365 Business Premium today regarding GSA might evolve.
  

• Preview Status: Some GSA components might still be in public preview, meaning they are subject to change and might not have full support SLAs yet.
  

• Client Deployment: Plan your rollout of the GSA client to end-user devices.
  

• Network Configuration: Ensure firewalls allow outbound traffic from the GSA client (port 443) and from the Private Access connectors (outbound 443).

By leveraging Global Secure Access, even with just the M365 traffic protection included in Business Premium, you start aligning with Zero Trust principles and enhance security for your Microsoft 365 environment. Adding the full Internet and Private Access capabilities provides a comprehensive SSE solution.