As Microsoft continues to innovate its cloud security offerings, Global Secure Access (GSA) has emerged as a pivotal solution to secure remote work environments. This guide walks you through setting up Global Secure Access for Microsoft 365, ensuring your organization leverages the full power of Microsoft's Secure Service Edge (SSE) and Conditional Access policies.

What Is Global Secure Access?

Global Secure Access is Microsoft's Secure Service Edge (SSE) solution. It safeguards user and app traffic across hybrid and multi-cloud environments, focusing on Zero Trust principles. It includes features like ZTNA (Zero Trust Network Access), Secure Web Gateway (SWG), and Remote App Access.

Think of it as an advanced layer of security that protects your data, users, and apps—no matter where they are.

Why Set Up GSA for Microsoft 365?

With Microsoft Entra Internet Access for Microsoft Traffic, you can:

• Manage and orchestrate access policies for employees, business partners, and digital workloads.

• Continuously monitor and adjust user access in real time based on permissions or risk levels.

• Secure access to private apps, SaaS apps, and Microsoft endpoints seamlessly.

This solution prioritizes Zero Trust principles, protecting your data, users, and apps wherever they operate.

Prerequisites Before You Begin

1. Microsoft Entra ID P1 or Microsoft Entra ID P2 license.

2. Windows client device: Windows 10/11 64-bit version; Microsoft Entra joined or hybrid joined; Internet connected and no corpnet access or VPN.

3. To configure GSA: Global Secure Access Administrator and Application Administrator roles.

4. To configure Conditional access policy: Conditional Access Administrator, Security Administrator, or Global Administrator.

Step 1: Activating Global Secure Access in your tenant

1. Open Microsoft Entra admin center

2. Go to Global Secure Access > Dashboard > Activate Global Secure Access in your tenant. Select Activate to enable SSE features in your tenant.

Step 2: Enabling the Microsoft traffic forwarding profile

Go to Global Secure Access > Connect > Traffic forwarding > Turn on the Microsoft traffic profile.

Step 3: Downloading the Global Secure Access Client

Go to the Microsoft Entra admin center portal, by navigating to Global Secure Access > Connect > Client download.

Step 4: Deploying the Global Secure Access Client

Automated installation

The best method for deploying the client is as a Win32 app via Microsoft Intune.

1. Prepare installation file (GlobalSecureAccessClient.exe) in an .intunewin file using the Microsoft Intune Win32 App Packaging Tool.

2. In the Intune admin center add a Windows app (Win32). Installation and uninstallation commands, detection rule on images below.

3. On the Assignments page, configure the assignment to deploy the Global Secure Access client and click Next

4. On the Review + create page, verify the provided configuration and click Create.

Manual installation

To manually install the Global Secure Access client:

1. Run the GlobalSecureAccessClient.exe setup file. Accept the software license terms.

2. The client installs and silently signs you in with your Microsoft Entra credentials. If the silent sign-in fails, the installer prompts you to sign in manually.

3. Sign in. The connection icon turns green.

4. Hover over the connection icon to open the client status notification, which should show as Connected.

Step 5: Enabling Global Secure Access signaling

Go to Global Secure Access > Connect > Settings > Session management > Adaptive Access and turn on Enable Global Secure Access signaling in Conditional Access.

Step 6: Enforcing the Global Secure Access client for Windows

Create a Conditional Access policy that requires GSA to be enabled for access.

• Users: Specify users 

• Target resources: Select Office 365 to block access to if GSA is not running.

• Conditions:  

Locations: Include Any location, Exclude Selected locations – All Compliant Network locations (GSA client network traffic) 

Device platforms: Include Select device platforms – Windows 

• Access Controls

  Grant: Block access 

• Enable Policy: ON 

End-user Experience

When a user specified in the Conditional Access policy attempts to access a targeted Microsoft 365 resource without a running GSA client, they will be denied access. A message will display, explaining the restriction: "You cannot access this right now". To restore access, the user simply needs to reconnect or activate the GSA client.

Setting up Global Secure Access for Microsoft 365 might seem daunting, but the benefits far outweigh the initial effort. Enhanced security, streamlined access, and a Zero Trust architecture empower your organization to adapt to evolving cyber threats while ensuring productivity.

As a Microsoft admin, you hold the keys to a secure and efficient workplace. By following these steps, you can safeguard your organization’s Microsoft 365 environment and lead the charge toward a resilient, cloud-first future.

Ready to take the next step? Schedule a call with our experts using the button below to discover how we can tailor solutions to protect your business from evolving threats while optimizing your technology strategy.