Entra SSE Part 1: When Access Becomes the Attack Vector

Harri Jaakkonen
Nov 10
3 min read

From VPN Fatigue to Zero Trust Reality: The Night Our Network Faced the Storm

Scene 1: The Breach

It's 08:47 AM on a Monday. The SOC dashboard lights up like a warning beacon:

Unusual sign-ins from multiple geographies
Legacy VPN tunnels spiking traffic
Sensitive SharePoint files accessed from unmanaged devices

Your network team scrambles. The old model—VPN + perimeter firewall—is cracking under pressure. Attackers exploit split-tunnel misconfigurations, credential stuffing, and shadow IT SaaS apps. Every second counts.

Alex, the SOC lead, knows the drill:

Check VPN logs
Validate MFA enforcement
Investigate suspicious IP ranges

But here's the problem: VPN assumes trust once connected. The attacker is inside the tunnel, moving laterally. The perimeter is gone.

Scene 2: Enter Entra Global Secure Access

Instead of patching holes, Microsoft Entra GSA flips the script:

Identity-driven access replaces network-centric trust
Universal Conditional Access applies everywhere—cloud, on-prem, SaaS
Traffic inspection via Microsoft's global edge ensures compliance without latency

Within minutes:

Risky sign-ins are blocked
Sensitive apps require device compliance + phishing-resistant MFA
Legacy VPN? Retired.

Why This Matters

Traditional VPNs assume trust once connected. Attackers love that. Entra GSA enforces Zero Trust:

Verify explicitly every session
Use least privilege for app access
Assume breach and inspect continuously

Deep Dive: Entra GSA Architecture

Entra GSA is built on Microsoft's global edge network, leveraging:

Policy Enforcement Points at the edge for real-time decisions
Integration with Entra ID for identity-based access
Conditional Access Policies applied consistently across SaaS, private apps, and hybrid workloads
Traffic Segmentation for compliance and performance optimization

Unlike VPN, which creates a flat network, GSA uses per-app tunnels with granular controls. Every session is evaluated against risk signals from Defender for Endpoint, Microsoft Threat Intelligence, and Entra ID Protection.

🔧 Fortytwo's Role

We help enterprises deploy Entra GSA at scale, integrating:

Microsoft Conditional Access policies
Traffic segmentation for SaaS and private apps
Telemetry into Sentinel for unified monitoring

Our services include:

Zero Trust workshops
Policy design and automation
Integration with Defender and Purview for compliance

Entra GSA vs Zscaler: Key Differences

Feature	Entra GSA	Zscaler
Native Identity Integration	Deep integration with Entra ID	Requires connectors
Policy Consistency	Same Conditional Access across all apps	Separate policy engine
Microsoft Ecosystem	Defender, Sentinel, Purview built-in	Third-party integrations
Licensing	Bundled with Microsoft Security stack	Separate subscription
Telemetry	Unified in Sentinel	Requires API integration

💡 Bottom line: If you're already in the Microsoft ecosystem, Entra GSA reduces complexity and cost while delivering Zero Trust at global scale.

Entra GSA and Zscaler – Can They Coexist?

Coexistence Is Possible

If your organization already uses Zscaler, you don’t have to rip and replace. Microsoft Entra Global Secure Access (GSA) and Zscaler can operate side by side as part of a unified Secure Access Service Edge (SASE) strategy. This approach lets you leverage the strengths of both platforms while maintaining Zero Trust principles.

How It Works

Microsoft and Zscaler offer complementary capabilities:

Entra Internet Access can secure Microsoft 365 and internet traffic.
Entra Private Access can handle private app traffic.
Zscaler Internet Access can continue to manage general internet traffic if preferred.
Zscaler Private Access can secure non-Microsoft private apps.

You can configure traffic forwarding profiles in the Microsoft Entra admin center to decide which traffic goes where. For example:

Scenario 1: GSA handles Microsoft 365 + internet traffic; Zscaler handles private apps.
Scenario 2: GSA handles Microsoft 365 traffic only; Zscaler handles internet + private apps.

Both clients can coexist on the same device (Windows 10/11 or macOS) with proper configuration. This requires enabling/disabling specific forwarding profiles and setting up FQDN/IP bypasses for smooth integration.

Why Coexistence Matters?

Enterprises often have existing Zscaler investments. Coexistence avoids disruption while enabling a gradual transition to Microsoft’s identity-centric SSE model. It also allows you to optimize routing for Microsoft workloads while maintaining Zscaler’s inspection for other traffic.

Extended Comparison Analysis

🚀 Deployment Complexity

Entra GSA: Uses existing Entra ID infrastructure

Zscaler: Requires connector appliances and separate policy configuration

⚡ Performance

Entra GSA: Leverages Microsoft's global edge with optimized routing

Zscaler: Uses its own PoPs, which may add latency for Microsoft workloads

💰 Cost

Entra GSA: Included in Microsoft E5 or Security add-ons

Zscaler: Separate subscription, often doubling cost for enterprises already on Microsoft

Everything starts with your identity

Not sure what you need? Book a chat

Enterprise-grade Azure Landing Zones built on Microsoft’s best-practice frameworks by real experts

We put next-generation Microsoft Security tools to work for you.

Did you know Fortytwo has multiple Advanced Specialization certifications by Microsoft?

Our Azure Marketplace products

Did you know that running products through Azure marketplace you are billed through your Azure invoice directly from your Microsoft partner?