Introduction to Microsoft Global Secure Access Proof of Concept Guidance

The Proof of Concept (PoC) guidance in this series of articles helps you to learn, deploy, and test Microsoft Global Secure Access with Microsoft Entra Internet Access, Microsoft Entra Private Access, and the Microsoft traffic profile.

Detailed guidance continues in these articles:

• Configure Microsoft Entra Private Access
• Configure Microsoft Entra Internet Access

This guide assumes that you're running a PoC in a production environment. Running a PoC in a test environment might give you more flexibility.

Note

All PoC testing is dependent on traffic profile updates synchronizing to the client device. Synchronization can take up to 20 minutes to complete.

Follow the steps in this article to ensure a successful PoC launch:

1. Understand the products.
2. Identify use cases.
3. Scope and define success criteria.
4. Meet prerequisites.
5. Configure product for use cases.
6. Troubleshooting.

Understand the products

Understanding the products and their core concepts is the first step towards a successful PoC. Start with the resources in this section.

Microsoft's Security Service Edge (SSE) solution

• What is Microsoft's Security Service Edge (SSE) solution?
• Accelerate your Zero Trust journey with unified access controls

Microsoft Entra Internet Access

• Learn about Microsoft Entra Internet Access
• Identity-centric Microsoft Entra Internet Access protections

Microsoft Entra Private Access

• Understand the Microsoft Entra private network connector
• Replace VPNs for on-premises resources with Microsoft Entra Private Access

Microsoft Global Secure Access

• Global Secure Access licensing overview
• Introduction to Microsoft Global Secure Access Deployment Guide

Identify use cases

While you design your PoC, identify relevant use cases and plan for appropriate configuration and testing.

Microsoft Entra Private Access use cases

Consider the following questions as you map out your Microsoft Entra Private Access use cases.

• Are you using a VPN today? The best way to start is to test the VPN replacement scenario. This scenario gives you the ability to publish all the same resources that users access through the VPN and protect them with Microsoft Entra ID. From that point onwards, you can segment access. To define access to specific resources that only selected users should access, create Enterprise Apps. For example, only administrators should be able to remotely access servers. Review the VPN replacement scenario to understand the recommended configuration.
• What device types do you plan to test? Users' day-to-day work devices or separate test devices? If you plan to use work devices, consider testing the VPN replacement scenario so that you can use Microsoft Entra Private Access for all your daily work. To only publish certain resources using Microsoft Entra Private Access, you might need to switch to using your VPN to access other resources that you need during your day. If you decide to only publish certain resources using Microsoft Entra Private Access, consider how users authenticate to those resources and if you require Single Sign-On (SSO) with Active Directory.

Microsoft Entra Internet Access use cases

You can test several Microsoft Entra Internet Access and Microsoft Entra Internet Access for Microsoft Services scenarios in your PoC. Consider testing coexistence with other solutions as the Learn about Security Service Edge (SSE) coexistence with Microsoft and Cisco article describes.

• Do you need to block or allow certain fully qualified domain names (FQDN) or web categories from access by all users when they are using a managed device? If you plan to block or allow most your user base's access to specific FQDNs or web categories, consider testing the Create a baseline policy applying to all internet access traffic routed through the service use case. You can create and apply the baseline policy to all users without needing to create Conditional Access policies. If necessary, you can override it for subsets of users.
• Do you need to block certain groups from accessing websites based on category or FQDN? If you need to prevent specific groups of users from accessing FQDNs or web categories, consider testing Block a group from accessing websites based on category and Block a group from accessing websites based on FQDN use cases.
• Do you need to override broad block or allow policies for certain users or specific circumstances? If you want to allow specific users or groups to access a blocked website, consider testing the Allow a user to access a blocked website use case.
• Do you need to manage or control access to your Microsoft data? You can use the Microsoft traffic profile to enable Global Secure Access to acquire and route SharePoint Online, Exchange Online, and other Microsoft traffic through the Global Secure Access cloud services. Test this scenario with the Enable and manage the Microsoft traffic forwarding profile use case.
• Do you need to control whether your users can use your managed devices to access Microsoft data in other tenants? If you need to prevent users from accessing Microsoft data in other tenants (to which they have valid credentials) when using your managed devices, consider testing the Universal Tenant Restrictions use case.

Scope and define success criteria

Use the PoC Kick off deck to plan your PoC. Walk through the high-level requirements to identify key stakeholders to include in the project. Then decide on in-scope scenarios and agree on a timeline.

Meet prerequisites

Ensure that you meet these prerequisites for your PoC:

• A Microsoft Entra ID test tenant.

• A user with the Global Secure Access administrator, Application Administrator, and Conditional Access Administrator roles. Refer to Microsoft Global Secure Access built-in roles.

• At least one Microsoft Entra ID test user account.

• At least one client device for user testing. To test remote access, this device should only have Microsoft Entra Internet Access and not connect directly to your private network.

  • Windows 11 devices must be either Microsoft Entra ID joined or hybrid joined to your test tenant.
  • For Android and iOS devices, install the Microsoft Defender app and register it in your test tenant.

• You must have the appropriate paid or trial licenses.

  • Global Secure Access Licensing overview
  • Microsoft Entra Suite trial licenses
  • Microsoft Entra Internet Access trial licenses
  • Microsoft Entra Private Access trial licenses

To test Microsoft Entra Private Access scenarios, ensure that you meet these prerequisites:

• Deploy at least one Windows Server 2019/2022 with your private/on-premises resources. This server must have line of sight to the resources you want to make available through Microsoft Entra Private Access. It should be able to access Microsoft URLs.
• To test VPN replacement, you need the IP ranges and FQDNs used for full access to your corporate network.
• To test per-app Zero Trust network access using Microsoft Entra Private Access, identify one or more test applications. You need the IP addresses or FQDNs, protocols, and ports that clients use when they access each test application.

To test Microsoft traffic scenarios, you need Microsoft 365 products such as SharePoint Online or Exchange Online.

Configure product for use cases

After you meet prerequisites, follow these steps to configure your test environment:

1. Enable the product in your tenant.
2. Install Global Secure Access client.
3. Configure Microsoft Entra Private Access.
4. Configure Microsoft Entra Internet Access.

Enable product in your tenant

Enable each product's traffic profile for Global Secure Access to acquire and tunnel traffic for that product area. Assign users and groups to the profile so that the Global Secure Access client for that user acquires and routes traffic to Global Secure Access. Note the roles required for these tasks:

• Enable and Manage the Microsoft Profile.
• Manage the Private Access Profile.
• Manage the Internet Access profile.
• Assign users and groups to traffic forwarding profiles.

Install Global Secure Access client

Install the Global Secure Access client on each client device that connects to Global Secure Access services. Ensure your test devices meet prerequisites. Review Known Limitations for Global Secure Access.

• Install the Global Secure Access Client for Windows.
• Install the Global Secure Access Client for macOS.
• Install the Global Secure Access Client for Android.
• Install the Global Secure Access Client for iOS (Preview).

To deploy the client to multiple devices, use Intune or another mobile device management solution.

Troubleshooting

If you run into issues during your PoC, these articles can help you with troubleshooting, logging, and monitoring:

• To aid in troubleshooting, review Global Secure Access FAQ
• Troubleshoot problems installing the Microsoft Entra private network connector
• Troubleshoot the Global Secure Access client: diagnostics
• Troubleshoot the Global Secure Access Client: Health check tab
• Troubleshoot Distributed File System issue with Global Secure Access
• See Global Secure Access logs and monitoring for log locations and other details that can assist with monitoring and troubleshooting your Global Secure Access deployment
• How to use workbooks with Global Secure Access

Next steps

• Configure Microsoft Entra Private Access
• Configure Microsoft Entra Internet Access
• Introduction to Microsoft Global Secure Access Deployment Guide
• Microsoft Global Secure Access Deployment Guide for Microsoft Entra Private Access
• Microsoft Global Secure Access Deployment Guide for Microsoft Entra Internet Access
• Microsoft Global Secure Access deployment guide for Microsoft Traffic