Free tool · 5 minutes · Microsoft Entra SSE
Microsoft Global Secure Access consolidates VPN, SWG and CASB into an Entra-native stack. Score whether your tenant has the identity, endpoint and operating foundations to make the consolidation pay back. Twelve questions, one PDF, no signup.
12 questions · 4 domains
Score your tenant's readiness to consolidate Internet Access and Private Access onto Microsoft Global Secure Access. Pick the option closest to your current state.
Domain 1
Entra ID tier, MFA posture, and Conditional Access baseline. GSA policies are Conditional Access policies — without the CA foundation, nothing else lands.
What Entra ID tier is the tenant on?
Source: Microsoft Learn: Global Secure Access licensing prerequisites.
What is the tenant's MFA posture?
Source: Microsoft Learn: Conditional Access — Require multi-factor authentication; ASD ISM.
How many Conditional Access policies are running in production?
Source: Microsoft Learn: Conditional Access deployment guide; CIS M365 Benchmark.
Domain 2
Current VPN and SWG estate, on-prem app inventory, and the consolidation TCO that determines whether GSA pays back.
What does the current remote access estate look like?
Source: Microsoft Learn: Migrate from VPN to Microsoft Entra Private Access.
What handles internet-bound web traffic from corporate devices today?
Source: Microsoft Learn: Microsoft Entra Internet Access deployment guide.
What proportion of business-critical apps are still on-prem or in private network?
Source: Microsoft Learn: Entra Private Access app configuration.
Domain 3
Intune enrolment coverage, device compliance policies, and OS mix. GSA's agent deploys via Intune; non-managed devices can't run it.
What proportion of corporate devices are enrolled in Intune?
Source: Microsoft Learn: Manage Global Secure Access clients via Microsoft Intune.
Are device compliance policies in use as a Conditional Access gate?
Source: Microsoft Learn: Require compliant device — Conditional Access.
What's the OS mix on managed devices?
Source: Microsoft Learn: Global Secure Access client requirements.
Domain 4
Entra Suite or standalone licensing, monitoring stack, and who runs network security day-to-day.
Is Entra Suite licensing in scope, or just GSA standalone?
Source: Microsoft Learn: Microsoft Entra Suite licensing.
Is Microsoft Sentinel or another SIEM in production?
Source: Microsoft Learn: Global Secure Access logs in Sentinel.
Who runs network security operations day-to-day?
Source: Frontrow Technology — Australian MSP operating-model patterns.
Indicative self-assessment only. For a verified result Frontrow Technology runs an in-tenant Global Secure Access readiness audit against the customer's Entra ID, Intune and network topology.
What the assessment covers
Domain 1
Global Secure Access policies are evaluated through Conditional Access. If the tenant has fewer than the recommended baseline of CA policies in place, GSA enforcement will fail open or produce inconsistent results. Entra ID P1 minimum, P2 recommended (especially for Identity Protection signals feeding Conditional Access). Phishing-resistant MFA via Windows Hello or FIDO2 is the strongest pairing with GSA.
Domain 2
GSA is a consolidation play. The maths only stacks up if there's a paid VPN or SWG/CASB spend to displace. Tenants with a mature Zscaler ZIA + ZPA deployment have the most to weigh — feature parity, not cost, is the question. Tenants on legacy VPN appliances and no SWG are the easiest GSA wins. App estate matters because Private Access replaces VPN access app-by-app, not network-segment-by-segment.
Domain 3
The GSA client deploys as an Intune app to Windows and macOS devices. Devices not enrolled in Intune cannot run the agent — they revert to the legacy network path, which defeats the consolidation. Tenants with high Intune enrolment and active device-compliance policies in CA are ready; tenants with mixed BYOD or low enrolment need to close the endpoint gap before GSA.
Domain 4
GSA is sold standalone per-user-per-month or bundled in the Entra Suite (with Entra ID Governance, Verified ID, Permissions Management). Most AU mid-market buyers consolidating away from a paid SSE spend land on the Suite. Operationally, GSA logs land in Sentinel via the Entra connector — tenants without Sentinel or another SIEM lose the observability that justifies the consolidation.
Frequently asked questions
Microsoft Global Secure Access (GSA) is Microsoft's Security Service Edge platform — the bundle of Entra-native network security capabilities Microsoft has built since 2023. It includes Entra Internet Access (a Secure Web Gateway) and Entra Private Access (a Zero Trust Network Access replacement for VPN). The agent deploys via Intune to Windows and macOS devices; policies are Conditional Access policies.
Four domains: identity foundation (Entra ID tier, MFA, Conditional Access baseline), network and connectivity (VPN estate, SWG estate, on-prem app inventory), endpoint readiness (Intune enrolment, compliance policies, OS mix), and licensing plus operating model (Entra Suite, Sentinel monitoring, who runs network security). 12 questions, 5 minutes, traffic-light scoring per domain.
Three cases. First, consolidation: you're paying for Zscaler ZIA, ZPA, Cisco Umbrella, Cloudflare Access, Netskope or a legacy VPN appliance and want to displace that spend with Microsoft. Second, modernisation: you have legacy VPN and no SWG and need to move to Zero Trust without buying a new platform. Third, identity-led network security: you're already on Entra ID P2 and want Conditional Access to extend natively to network access. Tenants on Entra ID Free with no current SWG are the least ready.
Entra Internet Access displaces cloud SWGs (Zscaler ZIA, Cisco Umbrella, Netskope, Cloudflare Gateway). Entra Private Access displaces VPN appliances (Cisco AnyConnect, Palo Alto GlobalProtect, Fortinet) and ZTNA platforms (Zscaler ZPA, Cloudflare Access). It does not yet replace mature DLP-on-egress, full CASB, or advanced threat-prevention layers — those still need pairing with Microsoft Defender for Cloud Apps and Defender for Endpoint.
GSA is sold per-user-per-month either standalone (Entra Internet Access and Entra Private Access as separate SKUs) or bundled in the Microsoft Entra Suite (which also includes Entra ID Governance, Entra Verified ID and Entra Permissions Management). Microsoft list pricing is roughly USD $5–10 per user per month for individual modules; AUD pricing follows roughly 1.5x USD list. The Entra Suite is the better maths for tenants already on Entra ID P2 stacking multiple Suite modules.
Entra ID P1 is the hard floor. P2 isn't strictly required, but the value of GSA lifts materially with P2 because Identity Protection signals feed Conditional Access decisions on GSA-protected access. For mature deployments, P2 across the user base is the norm.
Three-phase: identity uplift first (Entra ID P1 minimum, Microsoft 10-policy Conditional Access baseline in place, Intune enrolment above 70%). Pilot second: 20-seat group running Entra Internet Access in audit-mode for two weeks, traffic-inspection logs sent to Sentinel, then enforce. Migrate third: replace one critical VPN-protected app with Entra Private Access, validate latency from each AU capital, then expand app-by-app. Don't migrate a whole Zscaler estate in one cutover — it always finds a break-glass app no one had documented.
Every scoring threshold cites a primary source: Microsoft Learn Global Secure Access deployment guide, ASD Information Security Manual, and the CIS Microsoft 365 Foundations Benchmark. The methodology is authored by Daniel Brown (5x Microsoft MVP), Graeme Lodge (Managing Director), and Sam Williams (Investor & Executive Consultant).
