Introducing Microsoft Entra Private Access and Microsoft Entra Internet Access

On July 11th, Microsoft came out with some pretty big announcements. Besides the name change of Azure AD to Microsoft Entra ID, they also announced two products: Microsoft Entra Private Access and Microsoft Entra Internet Access. Both products focus on endpoint network connectivity, a part of the IT market that Microsoft had not ventured into. 

With these announcements, Microsoft debuts in the ‘Security Service Edge’ market. Security Service Edge, or SSE for short, is all about secure and private access for end-users. The main question I see people asking is what gap Microsoft is trying to cover and whether they have the right technology to close that gap. 

Microsoft Entra Private Access 

Entra Private Access aims to remove the dependency on legacy VPN solutions. While customers are moving to a cloud-only environment (with Teams, Share, and Azure AD-joined devices), legacy solutions remain in place. Most organizations live in a hybrid world, with an on-premises hosted file server, an old CRM system, or some account software. To access those applications, Microsoft has introduced the ‘Azure Application Proxy,’ which allows you to securely publish internal web applications to the cloud. The main disadvantage of Application Proxy is that it only works for web applications. This is the gap that Entra Private Access is trying to cover. 

Microsoft boasts that Entra Private Access can publish any application using any legacy protocol securely over the internet. A great example is access to file shares. Using Private Access, an end-user can access an on-premises file share over the internet while still being protected by multifactor authentication and OAuth 2.0 authentication. 

This is achieved by the ‘Global Secure Access Client,’ which must be installed on every endpoint. This is essentially a VPN client, allowing the end-user to connect to the on-premises network. These clients will connect to a connector installed on a Windows Server. During the preview, the client is only available on Windows 10 or 11 devices that are (Hybrid) Azure AD Joined. 

In the past, this issue was solved by using a VPN client. Most modern firewalls have built-in functionality which allows for the same connectivity. This makes you wonder what kind of organization Microsoft is targeting. If an organization is completely transitioned to the cloud, it doesn’t need a firewall or any sort of VPN connectivity. If they are in a hybrid environment, they likely have already deployed an on-premises VPN solution included in their firewall license.  

The main benefit Microsoft has is the native integration into the entire ecosystem. From day 1, Entra Private Access supports integration into Conditional Access to require compliant devices and MFA. It can be configured using a simple cloud-based portal, the Entra portal. Entra also boasts granular access, where you can enable access to all applications or enable per-app access.  

This is the type of product that will take a while to take off. Organizations will have contracts for current solutions in place, but a lot will depend on the pricing Microsoft will attach to this product. While the preview runs, it is available within an Entra ID Premium 1 license (AAD P1). But given Microsoft’s history of adding new features outside of the bundle, I am not getting my hopes up that this license requirement won’t increase. 

Microsoft Entra Internet Access 

Entra Internet Access is a Secure Web Gateway aiming to add additional protection mechanisms for all internet traffic on end-user devices. Organizations typically deploy firewalls in the on-premises network, which contain features such as SSL Inspection and Intrusion Prevention Systems to identify malicious behavior. By moving into a cloud-first world where end-users work remotely, they are no longer secured by traditional firewalls. This gap was previously covered by-products like Zscaler, a cloud-based proxy installed on all endpoints. 

It is a common misconception that Microsoft Defender for Endpoint was a proxy, but that is far from true. Microsoft Defender for Endpoint is an EDR that will also monitor network connectivity. It does not provide detailed logging nor some of the advantage features a proxy like zScaler has. This is where Entra Internet Access comes in. 

Entra Internet Access relies on the same ‘Global Secure Access Client’ that Entra Private Access uses. If configured, all internet connections will be made over Microsoft’s Secure Web Gateway, where additional detections and logging is in place. If a malicious connection is identified, that connection will be blocked. 

There are several advantages Microsoft has with Entra Internet Access:

  • There is tight integration into the Microsoft 365 eco-system. Traffic to Microsoft 365 is said to be more secure and integrated without any delay. 
  • By using Conditional Access, you have granular control over what restrictions must be implemented. 
  • Entra Internet Access has ‘Tenant Restrictions’ built-in. This allows a tenant admin to restrict blocking to any tenant except their own. This is an ask I often get from Departments of Defense or Financial institutions who want to avoid data leakage to other Microsoft tenants. By using Tenant Restrictions, you ensure only your tenant is available. 

It is important to note that the current preview only supports secure access to Microsoft 365. Secure Access for all internet access will be available later this year. This also explains why there is so little information available. Mature products such as zScaler have advanced features such as browser extension scanning, blocking of vulnerable browser versions, and browser isolation. These features likely won’t be in Microsoft’s finished product at first. So it’s likely that Microsoft will have some catching up to do.

Can Microsoft Prosper in the Security Secure Edge Market?

Now that Microsoft is in the Security Secure Edge market, I wonder how customers will react. Even if we are talking about Microsoft Security, some customers say they ‘Don’t want to put all their eggs into one basket,’ meaning they don’t want to rely on Microsoft for everything. The same will be valid for these two products. Microsoft must prove itself and develop a strong feature set and a competitive price. The two products fill a gap in Microsoft’s product line, but it may take a while before organizations adopt it.  

The Microsoft 365 Kill Chain and Attack Path Management

An effective cybersecurity strategy requires a clear and comprehensive understanding of how attacks unfold. Read this whitepaper to get the expert insight you need to defend your organization!

About the Author

Thijs Lecomte

Thijs is a security consultant out of Belgium, working at The Collective, an MSSP with a Microsoft-focused Security Operations Center. His work consists out of leading the SOC team and implementing Microsoft Security solutions (such as Microsoft Sentinel and Defender) as a consultant. He is an MVP in the Security category and is a regular speaker at events and user groups. His best-known publication is as co-author of the 'Microsoft 365 Security for the IT Pro' ebook.


  1. Veshant

    I agree, they need to support Linux, Mac, Android, iOS and Windows at the minimum for us to adopt it. It’s great that they support IPSec, but the client support needs to be there too.

  2. Jeroen Huylebroeck

    If Microsoft succeeds in making it multi-platform and multi-purpose, I think they have a shot at this. If not, it’ll be a tough call.

    Thanks for explaining in a concise and clear manner, Thijs! This makes it easy to wrap my head around and a great place to point customers to!

  3. Jon Jones

    Entra Private Access is a dead duck. Firstly, supplying a Windows only client is useless in today’s modern client agnostic environment. Where are the MacOS, iOS, Android & Linux clients? If MS aren’t supplying those clients, companies are going to have to use another product to support those. Why should a company use two products when one does the whole job?

    The other point MS are missing is that many vendors support SSL VPNs. Sure, they don’t cover every use case, but they’re a lot easier to deploy. (i.e. There are no clients to deploy as it’s all done via a browser)

Leave a Reply