Introduction to Microsoft Global Secure Access proof-of-concept guidance

The proof-of-concept (PoC) guidance in this series of articles helps you to learn, deploy, and test Microsoft Global Secure Access with Microsoft Entra Internet Access, Microsoft Entra Private Access, and the Microsoft traffic profile.

Detailed guidance continues in these articles:

• Configure Microsoft Entra Private Access
• Configure Microsoft Entra Internet Access

This guide assumes that you're running a PoC in a production environment. Running a PoC in a test environment might give you more flexibility.

Note

All PoC testing is dependent on traffic profile updates synchronizing to the client device. Synchronization can take up to 20 minutes to complete.

Follow the sections in this article to help ensure a successful PoC launch.

Understand the products

Understanding the products and their core concepts is the first step toward running a successful PoC. Start with the resources in this section.

Microsoft's Security Service Edge (SSE) solution

• What is Microsoft's Security Service Edge (SSE) solution?
• Accelerate your Zero Trust journey with unified access controls (video)

Microsoft Entra Internet Access

• Learn about Microsoft Entra Internet Access
• Identity-centric Microsoft Entra Internet Access protections (video)

Microsoft Entra Private Access

• Understand the Microsoft Entra private network connector
• Replace VPNs for on-premises resources by using Microsoft Entra Private Access (video)

Microsoft Global Secure Access

• Global Secure Access licensing overview
• Introduction to the Microsoft Global Secure Access deployment guide

Identify use cases

While you design your PoC, identify relevant use cases and plan for appropriate configuration and testing.

Microsoft Entra Private Access use cases

Consider the following questions as you map out your Microsoft Entra Private Access use cases:

• Are you using a VPN today? The best way to start is to test the VPN replacement scenario. This scenario gives you the ability to publish all the same resources that users access through the VPN and help protect them by using Microsoft Entra ID. From that point onward, you can segment access.

  To define access to specific resources that only selected users should access, create enterprise apps. For example, only administrators should be able to remotely access servers. To understand the recommended configuration, review the VPN replacement scenario.

• What device types do you plan to test? Users' day-to-day work devices or separate test devices? If you plan to use work devices, consider testing the VPN replacement scenario so that you can use Microsoft Entra Private Access for all your daily work.

  If you decide to publish only certain resources by using Microsoft Entra Private Access, consider how users authenticate to those resources and if you require single sign-on (SSO) with Active Directory. You also might need to switch to using your VPN to access other resources that you need during your day.

Microsoft Entra Internet Access use cases

You can test several Microsoft Entra Internet Access and Microsoft Entra Internet Access for Microsoft Services scenarios in your PoC. Consider testing coexistence with other solutions, as the Learn about Security Service Edge (SSE) coexistence with Microsoft and Cisco article describes.

• Do you need to block or allow certain fully qualified domain names (FQDNs) or web categories from access by all users when they're using a managed device? If you plan to block or allow most of your user base's access to specific FQDNs or web categories, consider testing the Create a baseline policy that applies to all internet access traffic routed through the service use case. You can create and apply the baseline policy to all users without needing to create Conditional Access policies. If necessary, you can override it for subsets of users.

• Do you need to block certain groups from accessing websites based on category or FQDN? If you need to prevent specific groups of users from accessing FQDNs or web categories, consider testing the Block a group from accessing websites based on category and Block a group from accessing websites based on FQDN use cases.

• Do you need to override broad block or allow policies for certain users or specific circumstances? If you want to allow specific users or groups to access a blocked website, consider testing the Allow a user to access a blocked website use case.

• Do you need to manage or control access to your Microsoft data? You can use the Microsoft traffic profile to enable Global Secure Access to acquire and route SharePoint Online, Exchange Online, and other Microsoft traffic through the Global Secure Access cloud services. Test this scenario with the Enable and manage the Microsoft traffic forwarding profile use case.

• Do you need to control whether your users can use your managed devices to access Microsoft data in other tenants? If you need to prevent users from accessing Microsoft data in other tenants (to which they have valid credentials) when they're using your managed devices, consider testing the Universal tenant restrictions use case.

Scope and define success criteria

Use the PoC kickoff deck to plan your PoC. Walk through the high-level requirements to identify key stakeholders to include in the project. Then decide on in-scope scenarios and agree on a timeline.

Meet prerequisites

Ensure that you meet these prerequisites for your PoC:

• A Microsoft Entra ID test tenant.

• A user with the Global Secure Access Administrator, Application Administrator, and Conditional Access Administrator roles. Refer to Microsoft Global Secure Access built-in roles.

• At least one Microsoft Entra ID test user account.

• At least one client device for user testing. To test remote access, make sure that this device has only Microsoft Entra Internet Access and can't connect directly to your private network.

  • Windows 11 devices must be either Microsoft Entra ID joined or hybrid joined to your test tenant.
  • For Android and iOS devices, install the Microsoft Defender app and register it in your test tenant.

• The appropriate paid or trial licenses:

  • Global Secure Access licensing overview
  • Microsoft Entra Suite trial licenses
  • Microsoft Entra Internet Access trial licenses
  • Microsoft Entra Private Access trial licenses

To test Microsoft Entra Private Access scenarios, ensure that you meet these prerequisites:

• Deploy at least one Windows Server 2019 or 2022 machine with your private or on-premises resources. This server must have a line of sight to the resources that you want to make available through Microsoft Entra Private Access. It should be able to access Microsoft URLs.
• To test VPN replacement, you need the IP ranges and FQDNs that are used for full access to your corporate network.
• To test per-app Zero Trust network access by using Microsoft Entra Private Access, identify one or more test applications. You need the IP addresses or FQDNs, protocols, and ports that clients use when they access each test application.

To test Microsoft traffic scenarios, you need Microsoft 365 products such as SharePoint Online or Exchange Online.

Configure the product for use cases

After you meet the prerequisites, use the following sections as steps to configure your test environment.

1. Enable the product in your tenant

Enable each product's traffic profile for Global Secure Access to acquire and tunnel traffic for that product area. Assign users and groups to the profile so that the Global Secure Access client for those users acquires and routes traffic to Global Secure Access. The following articles define the required roles for those tasks:

• Enable and manage the Microsoft profile
• Manage the Private Access profile
• Manage the Internet Access profile
• Assign users and groups to traffic forwarding profiles

2. Install the Global Secure Access client

Install the Global Secure Access client on each client device that connects to Global Secure Access services. Ensure that your test devices meet prerequisites. Review Known limitations for Global Secure Access.

• Install the Global Secure Access client for Windows.
• Install the Global Secure Access client for macOS.
• Install the Global Secure Access client for Android.
• Install the Global Secure Access client for iOS (preview).

To deploy the client to multiple devices, use Intune or another mobile device management solution.

3. Configure Microsoft Entra Private Access

For detailed steps, see the Configure Microsoft Entra Private Access article.

4. Configure Microsoft Entra Internet Access

For detailed steps, see the Configure Microsoft Entra Internet Access article.

Troubleshoot

If you have problems with your PoC, these articles can help you with troubleshooting, logging, and monitoring:

• Global Secure Access FAQ
• Troubleshoot problems installing the Microsoft Entra private network connector
• Troubleshoot the Global Secure Access client: Diagnostics
• Troubleshoot the Global Secure Access client: Health check tab
• Troubleshoot a Distributed File System issue with Global Secure Access
• Global Secure Access logs and monitoring
• How to use workbooks with Global Secure Access

Related content

• Configure Microsoft Entra Private Access
• Configure Microsoft Entra Internet Access
• Introduction to the Microsoft Global Secure Access deployment guide
• Microsoft Global Secure Access deployment guide for Microsoft Entra Private Access
• Microsoft Global Secure Access deployment guide for Microsoft Entra Internet Access
• Microsoft Global Secure Access deployment guide for Microsoft traffic