AI assistant — not human
Entra Internet Access, Entra Private Access, and Microsoft Tunnel — the Microsoft Security Service Edge platform that retires legacy VPN and consolidates Zscaler, Netskope, and Prisma Access onto one Conditional Access policy plane. Delivered by a senior-architect-led 29-year Microsoft Solutions Partner.
Microsoft Global Secure Access is the Microsoft SSE platform — Entra Internet Access SWG, Entra Private Access ZTNA, and Microsoft Tunnel mobile VPN, unified under one Conditional Access policy plane. It retires legacy VPN (Cisco AnyConnect, Palo Alto GlobalProtect, F5 BIG-IP APM, Pulse Secure), consolidates Zscaler ZIA-plus-ZPA-style SSE spend into the Entra Suite SKU, and integrates cleanly with incumbent SD-WAN for the SASE outcome. EPC Group delivers the full migration under a fixed-fee five-phase Accelerator between $300K and $1M.
Microsoft Global Secure Access is the umbrella brand. The product surface decomposes into three component pillars, each replacing a category of legacy infrastructure and each evaluated against the same Conditional Access policy engine.
The full outbound internet traffic plane for every user on a managed endpoint — every web request to a sanctioned SaaS application, every shadow IT lookup, every public internet destination. The traffic plane that has historically demanded a Zscaler ZIA or Netskope ZIA deployment to enforce.
Entra Internet Access is the Microsoft answer to Zscaler ZIA, Netskope Next Gen SWG, Palo Alto Prisma Access Cloud SWG, and Cisco Umbrella. It is the SWG component of the Microsoft Security Service Edge.
Every private application historically published through a legacy VPN concentrator, a Citrix Gateway, a F5 BIG-IP APM, a Palo Alto GlobalProtect, a Cisco AnyConnect, or an Azure Application Proxy. Internal web apps, RDP and SSH targets, legacy thick-client TCP and UDP apps, on-premises file shares — the full private-application catalog that has run over a VPN for two decades.
Entra Private Access is the Microsoft answer to Zscaler ZPA, Netskope Private Access, Palo Alto Prisma Access Private App Connector, Cloudflare Access, Cato Networks ZTNA, and Cisco Secure Access. It is the ZTNA component of the Microsoft Security Service Edge.
Mobile device traffic from corporate-managed iOS and Android endpoints — Microsoft Intune-enrolled phones and tablets accessing private applications and sanctioned SaaS, where Entra Private Access mobile clients are not yet the preferred path or where strict mobile-only VPN policy is required.
Microsoft Tunnel is the bridge product covering managed mobile devices today while Entra Private Access mobile capability continues to expand. Many enterprises deploy Microsoft Tunnel for mobile alongside Entra Private Access for Windows and macOS, then converge as the mobile ZTNA experience reaches feature parity.
The six recurring patterns EPC Group sees across Fortune 500 and regulated enterprise Global Secure Access deployments. Each pattern decomposes into a defined application catalog, a Conditional Access policy profile, and a measurable outcome.
The defining use case. A 2,000-to-50,000-user enterprise running Cisco AnyConnect, Palo Alto GlobalProtect, F5 BIG-IP APM, or Pulse Secure as the remote-access tunnel for 200-plus published applications wants to retire the appliance fleet, shrink the attack surface, and move to identity-aware per-application access. EPC Group deploys Entra Private Access as the ZTNA target, ships Quick Access groups for rapid mass-publishing of legacy apps as an initial network segment, then refines into per-application Conditional Access policy over a phased twelve-to-twenty-four-week program. The legacy VPN concentrators are decommissioned, the inbound firewall ports closed, and the enterprise moves from a flat-network VPN tunnel to per-application zero-trust access at scale.
Contractor laptops, employee personal devices on BYOD programs, and acquired-company endpoints not yet domain-joined or Intune-enrolled all need access to a defined catalog of internal applications. Entra Private Access publishes the application catalog with Conditional Access policy requiring app-protection policies, browser-based access through Entra Application Proxy or Edge-enforced policy, or Defender for Cloud Apps session controls layered for sensitive workloads. The pattern eliminates the historic compromise of either issuing corporate laptops to every contractor or accepting unmanaged-device tunnels into the corporate network.
The SWG side of the SSE story. Entra Internet Access acts as the identity-aware Secure Web Gateway for traffic to Microsoft 365, Salesforce, Workday, ServiceNow, GitHub Enterprise Cloud, and the rest of the sanctioned SaaS catalog. Conditional Access compliant-network-location signal raises the bar against token theft and adversary-in-the-middle phishing. Microsoft 365 traffic optimization routes Exchange, SharePoint, Teams, and Copilot traffic over the fast path while non-sanctioned SaaS continues through full SWG inspection. Salesforce-specific Conditional Access policy plus Defender for Cloud Apps session controls block unauthorized data exfiltration from the CRM tier.
Domain controllers, Azure subscription management, M365 tenant admin, Active Directory Tier 0 administration — the highest-privilege access plane. Entra Private Access publishes the admin jump-host fleet behind per-application Conditional Access policy requiring Privileged Access Workstation device compliance, FIDO2 authentication strength, no-personal-device sign-in, and Entra Privileged Identity Management eligible-role activation. The pattern aligns with Microsoft enterprise admin tiering model and integrates with Azure Bastion for inside-Azure RDP and SSH targets so the admin path is identity-aware end-to-end. See our /azure-bastion-privileged-access-just-in-time-2026 hub for the Bastion side of the Tier 0 pattern.
External contractors, managed-service-provider technicians, software vendor support staff, and acquired-entity workforce needing time-bounded access to a defined application catalog. Entra Private Access publishes the contractor application set scoped by Entra B2B guest identity, with Conditional Access policy enforcing time-bounded eligibility through Entra Identity Governance access packages and access reviews. The pattern replaces the historic anti-pattern of issuing internal Active Directory accounts to contractors plus the VPN tunnel — moving instead to guest identity plus per-application ZTNA scoped to the engagement contract.
Enterprises running material workloads across Azure, AWS, and GCP need consistent identity-aware access policy regardless of which cloud the application runs in. Entra Private Access connectors deploy inside each cloud VNet or VPC, publishing applications across all three clouds under the same Conditional Access policy plane. The result is a single ZTNA fabric covering on-premises private apps, Azure-resident apps, AWS-resident apps, and GCP-resident apps — independent of the per-cloud native access tools. The pattern is particularly valuable post-M&A where acquired entities arrive with their own cloud footprint and need to be folded into the parent identity-aware access policy.
Global Secure Access is the SSE half of a Secure Access Service Edge framework. The SD-WAN half ships through partnership with the incumbent SD-WAN ecosystem. The architectural difference that matters most is the unified Conditional Access policy plane that spans every component.
Microsoft Global Secure Access traffic terminates at Microsoft edge locations co-located with the global Microsoft 365 service edge. Users connect from anywhere — corporate office, home, hotel, airport — and traffic egresses to the Microsoft edge before being delivered to its destination. The architecture is the Microsoft Security Service Edge platform, the SSE component of a Secure Access Service Edge (SASE) framework.
Every web request and every private-application connection is evaluated against the same Conditional Access policy engine that already governs Microsoft 365, Azure, and the Entra ID identity fabric. There is no separate policy plane for the SWG, no separate policy plane for the ZTNA. Device compliance, MFA strength, identity risk, sign-in risk, named locations, named devices, Entra ID Protection risk score, and session controls all evaluate inside one engine. This is the architectural difference against Zscaler and Netskope, which run separate policy planes that customers reconcile with Conditional Access through custom integration.
Secure Access Service Edge (SASE) is the convergence of Security Service Edge (SSE) plus Software-Defined Wide Area Network (SD-WAN). Microsoft Global Secure Access is the SSE half. The SD-WAN half is delivered through Microsoft partnership with Cisco Catalyst SD-WAN, VMware VeloCloud, Versa Networks, Aryaka, Aruba EdgeConnect, and the broader SD-WAN ecosystem — each of which integrates with Global Secure Access through standardized branch and remote site connectors. For enterprises wanting a single-vendor SASE, Cato Networks or Palo Alto Prisma Access remain the alternative architecture; for enterprises wanting best-of-breed SSE plus existing SD-WAN, Global Secure Access plus the incumbent SD-WAN partner is the canonical Microsoft pattern.
The most under-appreciated capability of Microsoft Global Secure Access is policy unification. The same Conditional Access policy that gates a user from signing into Exchange Online or SharePoint Online also gates that user from reaching the SWG egress, the ZTNA private application, and the Microsoft Tunnel mobile session. One policy engine. One enforcement model. One audit log. The simplification against running Zscaler ZIA plus Zscaler ZPA plus Microsoft Conditional Access in parallel is material, and the operational savings are visible in SOC investigation time and in change-management overhead within the first 90 days.
Microsoft offers three commercial paths to Global Secure Access. For most enterprises deploying both Internet Access and Private Access, the Microsoft Entra Suite SKU is the economical and operational floor.
The Secure Web Gateway component — outbound internet traffic, Microsoft 365 traffic acceleration, web content filtering, threat intelligence enforcement.
Pricing: Available as a standalone Entra Internet Access SKU or as part of the Microsoft Entra Suite bundle. List pricing approximately $8 per user per month standalone; materially lower when consumed inside the Entra Suite bundle.
The Zero Trust Network Access component — per-application access to private apps, VPN replacement, multi-cloud private-app publishing.
Pricing: Available as a standalone Entra Private Access SKU or as part of the Microsoft Entra Suite bundle. List pricing approximately $8 per user per month standalone; materially lower when consumed inside the Entra Suite bundle.
The recommended bundle for any enterprise deploying both Entra Internet Access and Entra Private Access. Entra Suite combines Entra ID P2, Entra ID Governance, Entra Verified ID, Entra Internet Access, and Entra Private Access into a single per-user SKU.
Pricing: Approximately $12 per user per month list at the Suite price — materially less than buying the components individually. For most enterprises deploying Global Secure Access, Entra Suite is the economical and operational floor.
Included with Microsoft Intune licensing — the per-app mobile VPN for managed iOS and Android. No separate SKU.
Pricing: Entitled through Microsoft Intune Plan 1 or above. No incremental per-user cost beyond the existing Intune licensing footprint, which most Microsoft 365 E3 and E5 customers already carry.
The five pure-play SSE and SASE platforms EPC Group most often replaces or integrates with during Global Secure Access engagements. Each has defensible strengths in specific enterprise contexts.
The market leader on pure-play SSE. Strongest in net-new SSE deployments at enterprises with no Microsoft footprint, in OT and IoT segmented-network deployments, and in customer environments where the security team owns the SSE platform independently of identity. Weaker on Microsoft 365 traffic optimization economics, on Conditional Access policy unification, and on per-user list price for Microsoft 365 E5 customers who can fold SSE into the Entra Suite SKU. EPC Group migrates Zscaler ZIA plus ZPA into Global Secure Access for Microsoft-anchored enterprises seeking license consolidation and policy unification — the recurring annual savings typically exceed the migration engagement fee in the first year.
Strongest in Cloud Access Security Broker depth, with the most mature inline CASB inspection across sanctioned and unsanctioned SaaS. Strong in regulated industries with deep DLP requirements at the SWG layer. Weaker on Conditional Access integration, on Microsoft 365 traffic optimization, and on the unified policy engine that Global Secure Access delivers. EPC Group typically replaces Netskope SWG with Entra Internet Access plus Defender for Cloud Apps inline CASB for Microsoft-anchored enterprises, preserving Netskope only where best-of-breed CASB depth is non-negotiable.
The pure-play SASE leader combining Prisma Access SWG, Prisma Access Private App Connector ZTNA, and Prisma SD-WAN into a single vendor stack. Strongest in single-vendor SASE consolidation when the customer is already a Palo Alto firewall standardized shop. Weaker on Microsoft 365 traffic acceleration, on Conditional Access unification, and on per-user economics for Microsoft 365 E5 customers. EPC Group migrates Prisma Access ZTNA into Entra Private Access for Microsoft-anchored enterprises while preserving Prisma SD-WAN as the WAN fabric — the SSE-plus-existing-SD-WAN pattern is the canonical Microsoft SASE answer.
The Cisco SASE stack — Umbrella as the DNS-layer security and SWG, Secure Access as the ZTNA component, Catalyst SD-WAN as the WAN fabric. Strongest in Cisco-anchored networking estates with existing AnyConnect VPN, Catalyst SD-WAN, and Meraki branch footprint. Weaker on Conditional Access policy unification with Entra ID and on the Microsoft 365 traffic optimization plane. EPC Group migrates Cisco AnyConnect into Entra Private Access for Microsoft-anchored enterprises while preserving Catalyst SD-WAN as the branch WAN fabric — Global Secure Access integrates cleanly into the Catalyst SD-WAN ecosystem through the Microsoft SD-WAN partner program.
The fastest-rising SSE platform, particularly strong in developer-anchored enterprises and in deployments where the customer already runs Cloudflare as the CDN and WAF. Weaker on Conditional Access integration depth, on Microsoft 365 traffic optimization, and on the regulatory framework portfolio Microsoft brings (FedRAMP-authorized for the Global Secure Access service). EPC Group respects Cloudflare for customers whose security team standardizes on Cloudflare as the platform — Global Secure Access is the recommendation for Microsoft-anchored enterprises.
The fixed-fee delivery program for Global Secure Access — from incumbent SSE and VPN vendor assessment through legacy VPN decommission, SWG activation, and managed steady state. Twelve to twenty-four weeks for a 5,000-to-25,000-user enterprise.
Phase one is a fixed-fee assessment that inventories the existing remote-access estate — VPN concentrator vendor, user counts, published application catalog, average concurrent session counts, peak bandwidth, regional egress topology, and current Conditional Access posture. EPC Group produces a costed migration roadmap, a risk-weighted application backlog scored by complexity, a license consolidation analysis comparing Entra Suite economics against incumbent SSE spend, and a board-ready decision package.
Phase two activates Entra Private Access for a controlled pilot cohort — typically the IT department plus two business units totaling 200 to 500 users — covering a defined catalog of 10 to 25 private applications. EPC Group ships the connector fleet, establishes the Quick Access groups, configures the per-application Conditional Access policy, and validates the user experience across Windows, macOS, iOS, and Android endpoints before broader rollout.
Phase three is the production rollout. EPC Group sequences wave-based user migration from the legacy VPN onto Entra Private Access, typically in 1,000-to-5,000-user waves on a two-to-four-week cadence depending on enterprise change-management tolerance. Each wave brings additional applications onto the ZTNA platform under per-application Conditional Access policy, with the legacy VPN running in parallel as a fallback during the cutover window. After all users and applications migrate, the legacy VPN concentrators decommission and inbound firewall ports close.
Phase four activates Entra Internet Access as the Secure Web Gateway for outbound web traffic. EPC Group sequences the activation by user cohort, validates Microsoft 365 traffic optimization is delivering the expected acceleration for Exchange Online, SharePoint Online, Teams, and Copilot, configures the web content filtering policy aligned to the customer acceptable-use policy, and integrates threat intelligence enforcement with Microsoft Defender Threat Intelligence and the broader security graph.
Phase five is steady-state operation. EPC Group provides managed Global Secure Access services — 24-by-seven monitoring of the connector fleet, the SWG enforcement plane, the ZTNA application catalog, and the Conditional Access policy lifecycle. Senior-architect escalation is the differentiator; tier-one analysts handle the routine, but every customer has named senior architects on call for the policy decisions, exception adjudications, and architecture questions that matter.
Nearly three decades of Microsoft consulting leadership. A 70+ Fortune 500 client base. 11,000+ engagements. A founder who is a four-time Microsoft Press author. The credential stack that earns the Tier 0 admin access decisions and the SOC investigation lineage decisions that come with a Global Secure Access deployment.
Identity-aware access, Conditional Access governance, and Microsoft security platform engineering at the largest end of the enterprise market.
1.83 million users migrated. M&A is where Global Secure Access wins the multi-cloud, multi-incumbent SSE consolidation play.
FedRAMP-aligned, HIPAA HITRUST, FFIEC, CMMC Level 2, PCI-DSS 4.0, SOC 2 — the regulatory framework portfolio Global Secure Access deployments demand.
Global Secure Access is one pillar of the broader Microsoft Zero Trust platform. The companion EPC Group hubs cover the surrounding identity, endpoint, cloud workload, and AI security planes a complete Zero Trust architecture requires.
The master EPC Group platform map — every Microsoft cloud, security, data, and AI capability cross-referenced.
The identity fabric — Conditional Access policy engine, Entra ID Protection, Privileged Identity Management, and the identity plane Global Secure Access inherits.
The Tier 0 admin RDP and SSH plane inside Azure that pairs with Entra Private Access for end-to-end identity-aware privileged access.
Identity governance for the Copilot and AI agent era — Entra ID Governance, Verified ID, and the AI identity plane.
The cloud workload protection plane covering Azure, AWS, and GCP that Global Secure Access protects access into.
The regulatory framework portfolio — HIPAA, SOC 2, FedRAMP, FINRA, CMMC, GxP — mapped to the Microsoft platform capabilities supporting it.
The companion deep-dive on the Entra ID identity fabric, Conditional Access authoring, and the Zero Trust identity blueprint.
Microsoft Global Secure Access is the Microsoft Security Service Edge (SSE) platform — the SWG plus ZTNA plus mobile per-app VPN unified into one product surface under one Conditional Access policy plane. It is the brand name covering three component capabilities: Microsoft Entra Internet Access (the SWG for outbound web traffic), Microsoft Entra Private Access (the ZTNA layer for private applications, replacing legacy VPN), and Microsoft Tunnel (per-app VPN for managed iOS and Android). Enterprises retire legacy VPN concentrators (Cisco AnyConnect, Palo Alto GlobalProtect, F5 BIG-IP APM, Pulse Secure) by publishing private applications through Entra Private Access connectors, applying per-application Conditional Access policy, and migrating users in waves before decommissioning the legacy VPN. EPC Group delivers the migration under a fixed-fee five-phase accelerator over 12 to 24 weeks.
Zscaler is the market leader on pure-play SSE — strongest in net-new deployments at enterprises with no Microsoft footprint, in OT and IoT segmented-network deployments, and in environments where the security team owns the SSE platform independently of identity. Global Secure Access wins on Microsoft 365 traffic optimization economics, on the unified Conditional Access policy engine spanning identity plus SWG plus ZTNA plus Microsoft 365 plus Azure, and on per-user list price for Microsoft 365 E5 customers who fold SSE into the Entra Suite SKU. For Microsoft-anchored enterprises, EPC Group routinely migrates Zscaler ZIA plus ZPA onto Global Secure Access — the annual license savings typically exceed the migration engagement fee inside the first year, and the policy-engine unification delivers ongoing operational savings in SOC investigation time and in change-management overhead. For pure non-Microsoft estates, Zscaler remains the defensible choice.
Netskope is strongest in Cloud Access Security Broker depth — the most mature inline CASB inspection across sanctioned and unsanctioned SaaS, with deep DLP enforcement at the SWG layer. Global Secure Access wins on Conditional Access integration, on Microsoft 365 traffic optimization, and on the unified policy engine. For Microsoft-anchored enterprises, EPC Group typically replaces Netskope SWG with Entra Internet Access plus Defender for Cloud Apps inline CASB — preserving Netskope only where best-of-breed CASB depth is non-negotiable and the customer is willing to absorb the operational overhead of running two policy engines in parallel. The decision framework comes back to whether identity-centric unification or CASB-depth specialization is the higher-leverage priority for the security operations center.
Palo Alto Prisma Access is the pure-play SASE leader — Prisma Access SWG plus Prisma Access Private App Connector ZTNA plus Prisma SD-WAN combined into a single-vendor stack. Strongest in single-vendor SASE consolidation when the customer is already a Palo Alto firewall standardized shop. Global Secure Access wins on Microsoft 365 traffic acceleration, on Conditional Access unification, and on per-user economics for Microsoft 365 E5 customers. The Microsoft canonical SASE answer pairs Global Secure Access as the SSE half with the incumbent SD-WAN partner (Cisco Catalyst, VMware VeloCloud, Versa, Aryaka, Aruba EdgeConnect, or the customer existing SD-WAN choice) — preserving the SD-WAN investment while consolidating the security plane onto Microsoft. For Palo Alto firewall standardized shops with mature Prisma SD-WAN, the migration path is to retain Prisma SD-WAN and migrate Prisma Access SSE into Global Secure Access.
The Cisco SASE stack — Umbrella as DNS-layer security and SWG, Secure Access as ZTNA, Catalyst SD-WAN as WAN fabric — is strongest in Cisco-anchored networking estates with existing AnyConnect VPN, Catalyst SD-WAN, and Meraki branch footprint. Global Secure Access wins on Conditional Access policy unification with Entra ID and on Microsoft 365 traffic optimization. The recurring EPC Group pattern is to migrate Cisco AnyConnect VPN into Entra Private Access (eliminating the VPN concentrator fleet) while preserving Catalyst SD-WAN as the branch WAN fabric — Global Secure Access integrates cleanly with Catalyst SD-WAN through the Microsoft SD-WAN partner program. The result is Microsoft SSE plus Cisco SD-WAN, the canonical mixed-vendor SASE answer for Cisco-networking-plus-Microsoft-identity enterprises.
List pricing approximately $8 per user per month for Entra Internet Access standalone, approximately $8 per user per month for Entra Private Access standalone, and approximately $12 per user per month for the Microsoft Entra Suite bundle (which includes Entra ID P2, Entra ID Governance, Entra Verified ID, Entra Internet Access, and Entra Private Access in one SKU). Microsoft Tunnel for mobile is entitled through Microsoft Intune Plan 1 or above with no incremental per-user cost. For most Microsoft 365 E3 or E5 enterprises deploying both Internet Access and Private Access, the Entra Suite SKU is the economical and operational floor — materially less than buying the components individually and bundling Entra ID P2 plus Entra ID Governance plus Verified ID at no incremental cost. A 10,000-user enterprise running Entra Suite is roughly $1.4 million per year in Microsoft consumption, materially below comparable Zscaler ZIA-plus-ZPA-plus-Conditional-Access licensing.
A realistic Global Secure Access deployment for a 5,000-to-25,000-user enterprise runs 12 to 24 weeks under the EPC Group five-phase accelerator. Phase 1 Assess is three to four weeks. Phase 2 Pilot is four to six weeks for a 200-to-500-user controlled pilot covering 10 to 25 applications. Phase 3 Rollout is six to twelve weeks for wave-based user migration and legacy VPN decommission. Phase 4 SWG Activation is two to four weeks. Phase 5 Operate is steady-state managed service. Fixed-fee engagement pricing typically lands in the $300,000 to $1,000,000 range depending on user count, application catalog complexity, and the number of incumbent vendors being displaced. The fixed-fee structure eliminates the open-ended time-and-materials risk that legacy VPN-to-ZTNA programs have historically carried.
Microsoft Global Secure Access is FedRAMP-authorized for the commercial cloud, with capabilities aligned to the standard EPC Group regulatory framework portfolio — HIPAA HITRUST for healthcare, FFIEC and SOX for financial services, CMMC Level 2 for defense contractors, PCI-DSS 4.0 for retail, and SOC 2 for the broader SaaS estate. EPC Group is a FedRAMP-aligned Microsoft Solutions Partner with nearly three decades of consulting leadership across regulated industries. For US Government workloads requiring GCC High or DoD cloud, the Global Secure Access service follows the Microsoft sovereign cloud roadmap; EPC Group sequences deployments by tenant boundary to match the customer regulatory scope. See our /standards-alignment hub for the full mapping of Microsoft security platform capabilities against the regulatory framework portfolio.
EPC Group delivers the Microsoft Global Secure Access migration under a fixed-fee five-phase Accelerator — Assess, Pilot, Rollout and VPN Decommission, SWG Activation, Operate. $300,000 to $1,000,000 fixed-fee for a 5,000-to-25,000-user enterprise. Twelve to twenty-four weeks. Senior-architect-led, regulatory-framework aligned, license-savings positive inside the first year.