Unlocking Zero Trust with Microsoft Entra GSA: The Essential Guide to Getting Started – Part 1 of 5
An introduction to why GSA is essential for your business
Hey there! I'm JJ Milner, a Microsoft MVP for Windows 365 and Intune architect based in Johannesburg. As a contributor to the Centre for Internet Security (CIS) benchmarks for Windows 11 on Intune and Microsoft 365 fundamentals, I've been at the forefront of evolving security solutions.
During the preview phase of Microsoft Entra Global Secure Access (GSA), I had the privilege of collaborating closely with the product team, including Andres Canello (Principal Product Manager, IDCxP), who provided invaluable insights and support.
Andres also collaborated with me on the entire blog series, contributing his expertise to make this guide more comprehensive. I want to thank Andres for his dedication and contributions—they have been instrumental in shaping this content. With GSA now fully public and evolving rapidly, I'm thrilled to introduce this multi-part series on deploying and optimising GSA.
To make this series practical and attainable, we've structured it around three levels of deployment, allowing you to start small and build confidently. Level 1 focuses on the M365 profile—easy to set up with minimal configurations, implementable in 24 hours for quick wins in security and performance. Level 2 adds Internet Access (native) and basic Private Access (automatic connections, SQL MI)—achievable in a week (including time for testing). Level 3 incorporates Netskope and advanced Private Access (per-app), which takes two weeks for full integration and validation. This phased approach minimises risk, lets you test at each stage, and scales to your pace.
Before we dive into the technical how-tos in the upcoming parts (starting with Level 1 M365 traffic security in Part 2), let's step back and explore why GSA is such a game-changer. In this Part 1, we'll break down what makes GSA a big deal, the tangible benefits for businesses, how it aligns with CIS controls, and why prioritising compliance isn't just a checkbox—it's a strategic advantage. We'll also discuss key considerations, such as points of presence (PoPs), latency, and testing methodologies, to help you plan your deployment effectively. If you're managing hybrid workforces, navigating rising cyber threats, or relying on outdated VPNs, this is for you. Let's get into it!
Why GSA is a Big Deal in 2025
In a world where remote work is the norm and cyber threats are evolving faster than ever—think AI-powered attacks and sophisticated phishing—traditional security models like perimeter-based defences are obsolete. Enter Microsoft Entra Global Secure Access: a cloud-native Security Service Edge (SSE) solution that embodies Zero Trust principles, verifying every access request regardless of location. GSA isn't just another tool; it's a unified platform in the Microsoft Entra admin centre that secures access to Microsoft 365, the internet, and private resources without the hassles of legacy VPNs.
What sets it apart in 2025? Microsoft's ongoing innovations, such as integrating identity management for AI agents and enhancing Zero Trust with AI-driven threat detection, make GSA future-proof. It's designed for the hybrid era, routing traffic through Microsoft's global edge network for optimal performance while enforcing identity-centric controls. Businesses are shifting to GSA because it replaces clunky, high-maintenance VPNs with seamless, scalable security—reducing latency, minimising attack surfaces, and adapting to emerging threats like those targeting AI workflows. In short, GSA isn't optional; it's the foundation for modern, resilient networking.
Key Benefits for Businesses
Deploying GSA delivers a host of benefits that go beyond security—they drive efficiency, cost savings, and user satisfaction. Here's a breakdown based on real-world implementations I've seen and Microsoft's latest data:
Enhanced Security in a Zero-Trust World: The GSA verifies users, devices, and contexts before granting access, thereby reducing risks associated with breaches. Features like Conditional Access with Compliant Network checks and Universal Tenant Restrictions prevent data exfiltration and unauthorised logins. With cyber incidents costing businesses an average of $4.45 million (per IBM reports), GSA's proactive defences can slash that exposure by up to 70% through granular controls. Users remain secure even over public WiFi, as GSA tunnels workloads (like M365 traffic) through encrypted, optimised paths—protecting data in transit without relying on the underlying network's security.
Optimised Performance for Hybrid Teams: By routing traffic directly to Microsoft's edge, GSA cuts latency by 20-30% compared to backhauling through on-premises gateways. Remote workers get faster access to M365 apps, web resources, and internal systems—boosting productivity without compromising security. In my consulting experience, this has led to happier teams and fewer support tickets. Specifically, the GSA M365 access profile, included free with Entra ID P1 or P2 licenses, enables users to access Microsoft 365 services, such as Exchange and SharePoint, more quickly and reliably, while also benefiting from built-in security for GSA-routed workloads.
Comprehensive Visibility and Insights: GSA offers detailed traffic logs, dashboards, and integration with Microsoft Sentinel, providing enhanced threat hunting capabilities. Businesses gain real-time visibility into access patterns, enabling them to spot anomalies early. This ties into broader Entra benefits, such as improved user experiences through seamless SSO and adaptive access.
Cost Efficiency and Scalability: No hardware to maintain—it's all cloud-based. Start with the free M365 profile (included in Entra ID P1/P2) and scale to Internet or Private Access as needed. For growing enterprises, this means lower TCO versus traditional SSE solutions, with built-in extensibility like Netskope for advanced DLP.
Future-Proofing with AI and Compliance: 2025 updates emphasise AI security, such as protecting agent identities, aligning with the rise of AI in business ops. GSA ensures your security evolves with threats, supporting compliance frameworks out of the box.
Organisations deploying GSA report improved security postures, with features like identity-based microsegmentation limiting lateral movement in breaches—revolutionising network security.
Alignment with CIS Controls and the Value of Compliance
As a CIS benchmark contributor, I can confidently say GSA aligns seamlessly with the CIS Controls and Microsoft 365 Foundations Benchmark v5.0.0. CIS Controls are a set of prioritised, actionable best practices developed by experts to mitigate the most common cyber attacks. GSA supports key areas like:
Control 1: Inventory and Control of Enterprise Assets: GSA's visibility into devices and traffic helps maintain an accurate asset inventory, ensuring only compliant devices have access to resources. This is important to customers because it prevents unauthorised devices from compromising the network, reducing breach risks and aiding compliance audits.
Control 6: Access Control Management: Through Entra ID integration, GSA enforces least-privilege access, multi-factor authentication, and role-based controls—core to CIS recommendations for Identity and Access Management (IAM). Why important? It minimises insider threats and credential abuse, which account for a large portion of breaches, saving costs on incident response.
Control 13: Network Monitoring and Defence: GSA's traffic forwarding and logging provide continuous monitoring, aligning with CIS's emphasis on detecting and responding to network threats. This matters to customers as it enables quick threat detection, potentially blocking 85% of attacks, according to CIS data, and supports regulatory requirements such as GDPR.
Control 16: Application Software Security: GSA secures SaaS and web access, as outlined in the Microsoft 365 benchmark. Customers must protect themselves against supply chain attacks and ensure secure app configurations to enhance their overall resilience.
Why does compliance matter for your business? It's not just about avoiding fines (though GDPR, HIPAA, and similar regulations can carry penalties of up to 4% of global revenue). Compliance builds trust with customers and partners, demonstrating your commitment to data protection. It reduces operational risks—CIS-aligned practices block 85% of attacks, per CIS data—leading to fewer disruptions and lower insurance premiums. In my work, businesses that prioritise CIS compliance see faster incident response times and stronger resilience, turning security from a cost centre into a competitive edge. GSA makes this achievable without requiring an overhaul of your infrastructure.
Why Businesses Should Deploy GSA Now
If your organisation relies on Microsoft 365, has remote workers, or manages on-premises resources, delaying GSA deployment means continuing to use vulnerable VPNs or fragmented security tools. With threats like ransomware surging and AI introducing new vectors, GSA offers a straightforward path to Zero Trust. Start small—enable the free M365 profile—and scale up as needed. The ROI is clear: enhanced protection, happier users, and peace of mind in an unpredictable digital landscape.
Looking Ahead to the Series
This Part 1 sets the stage—now, join me in Part 2 for Level 1: hands-on configuration of the M365 access profile, complete with step-by-step guidance and manual testing tips. Subsequent parts will cover Level 2: Internet Access native (Part 3) and basic Private Access (Part 4), Level 3: Netskope (Part 5) and advanced Private Access (Part 5.1), with PowerShell scripts for automation and monitoring in Part 5.2. We'll also include sub-articles for client management and certificate config. See Part 6 for an appendix on PoPs.
What security challenges are you facing that GSA could solve? Share in the comments below—I love hearing your stories! Subscribe to ensure you don't miss the deep dives, and let's build a more secure future together.
Series Navigation: [Part 1] [Part 2] [Part 3] [Part 4] [Part 5] [Appendix 1]