Skip to main content

Conditional Access for Your File Server: What Global Secure Access Does That a VPN Never Could

Nick Ross4 min read

TL;DR

  • Global Secure Access is Microsoft's Security Service Edge platform, combining Zero Trust Network Access with cloud-based filtering for both cloud and on-prem resources.
  • GSA lets you apply Conditional Access policies to internal applications and file shares, something a VPN cannot do.
  • Requiring traffic to originate from the GSA client blocks adversary-in-the-middle token theft, and in testing it stopped a live Evilginx attack.
  • The Internet Access profile can block whole categories of web content, including generative AI tools and personal cloud storage, which curbs shadow AI.
  • The Microsoft 365 traffic profile is included with Entra ID P1/P2; Internet and Private Access need a GSA license or the Entra Suite add-on.

A VPN makes one decision: are you allowed onto the network? Answer yes, and the user, or the attacker holding their credentials, often gets wide-open access to everything behind the firewall. As of 2025, that single decision point has aged badly. The year brought breaches at major VPN vendors, a steady stream of helpdesk tickets from frustrated users, and clunky experiences that nobody defends anymore.

Yet businesses keep the VPN around for one reason: legacy line-of-business applications and on-prem file shares that never made the move to the cloud.

Microsoft's Global Secure Access (GSA) is built for exactly that gap. It lets users reach on-prem resources securely with no tunnel, no lag, and no VPN-shaped attack surface, and it puts identity in charge of every connection.

How does Global Secure Access work?

GSA is Microsoft's Security Service Edge (SSE) platform. It combines Zero Trust Network Access (ZTNA) with cloud-based security filtering to protect cloud and on-prem resources alike.

The contrast with the old model is stark. VPNs connect users to internal systems behind a firewall, and once inside, those users typically hold broad network access, which attackers love. The VPN itself is also an exploitable attack vector, as the recent vendor breaches have demonstrated.

Diagram of the traditional VPN model granting broad network access behind the firewall

GSA replaces that with Microsoft's secure edge, using Entra ID (formerly Azure AD) as the central identity plane for everything: Microsoft 365, general internet access, and your on-prem apps. The practical consequence is the headline feature. You can now apply Conditional Access to internal applications and resources, which a VPN could never do.

Global Secure Access architecture routing traffic through Microsoft's secure edge with Entra ID as the identity plane

Operationally, GSA acts as a traffic controller on the endpoint. You install a lightweight client on user devices, via Intune, GPO, or your RMM, and that client routes traffic according to admin-defined rules:

  • Microsoft 365 traffic goes directly and securely to Microsoft cloud services.
  • Internet access routes through Microsoft's filtering edge for policy enforcement.
  • Private Access connects users to on-prem resources without a VPN tunnel.

The result: your identity policies follow the user everywhere, whether they are opening SharePoint, Outlook, a legacy payroll app, or a network file share.

What GSA stops in practice

Token theft and Evilginx-style phishing

Adversary-in-the-middle attacks are among the most common identity threats today. The attacker lures a user to a fake Microsoft login page, captures the session token, and walks past MFA with it.

With GSA, you can build a Conditional Access policy that requires traffic to originate from the GSA client. A login attempt from a phishing proxy or untrusted network fails before the token is ever issued. In testing, this configuration stopped a live Evilginx adversary-in-the-middle attack, which makes it one of the more practical token theft defenses available in the Microsoft stack as of October 2025.

Shadow AI and risky web categories

The Internet Access profile enforces web content filtering policies. Admins can block access to generative AI sites such as ChatGPT and Claude, or to unapproved storage platforms like Dropbox and Box, by category:

  • Artificial Intelligence Tools
  • Gambling or Hacking Sites
  • Personal Cloud Storage

and many more. As AI tools become ubiquitous, this is a direct lever against shadow IT and the data leakage that comes with it.

On-prem file shares with no tunnel at all

This is where GSA earns the migration. The Private Access connector is a lightweight agent you install on an on-prem server, your file server or domain controller for example. It establishes a secure, identity-bound tunnel between Microsoft's edge and your on-prem environment.

From there you define exactly which internal applications or shares are reachable, say a payroll app or a single SMB share. Users connect to those specific resources even if their device is not domain joined or anywhere near the corporate network.

No VPN. No split tunneling. No exposed attack surface. And because every connection flows through Entra ID, you can layer on Conditional Access requirements: MFA, compliant devices, or specific user groups.

See the full setup

We recorded a complete walkthrough of the configuration and the attack demos: watch the full Global Secure Access demo on YouTube (opens in new tab).

What does Global Secure Access cost?

You may already own the entry point. Requirements as of October 2025:

  • Microsoft Entra ID P1 or P2, which is included with Microsoft 365 Business Premium, unlocks the base Microsoft 365 traffic profile.
  • The Internet Access and Private Access profiles require an additional GSA license or the Entra Suite add-on.
  • Devices must be Entra joined or hybrid joined.

Microsoft's current pricing breakdown is here: Microsoft Entra Plans and Pricing (opens in new tab).

Microsoft Entra licensing table showing which Global Secure Access profiles each plan includes

Identity-driven networking is the destination

We see GSA as more than a VPN replacement. It moves the access decision from "are you on the network" to "who are you, what device are you on, and what are you allowed to touch," and it applies that decision to every connection, cloud or on-prem. For MSPs and IT admins still nursing aging VPN appliances, this is the opening to modernize remote access, shrink the attack surface, and simplify the environment in one move.

Frequently asked questions

Can users reach on-prem file shares through Global Secure Access without joining the domain?

Yes. The Private Access connector creates an identity-bound tunnel between Microsoft's edge and your on-prem environment, so users can reach published shares and apps even from devices that are not domain joined or on the corporate network.

Does Global Secure Access replace the VPN on day one?

For most environments it can replace VPN use cases incrementally. Start with the Microsoft 365 profile included in P1/P2, then publish individual on-prem apps or shares through Private Access as you retire tunnel access.

Token theft protections, verified across every tenant

Conditional Access is only as good as its weakest tenant. CloudCapsule audits 250+ Microsoft 365 controls, including the identity policies GSA depends on, in about 60 seconds per tenant.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading