Transitioning from VPNs to Entra Global Secure Access for hybrid workforces (Part-2)

VPNs solved a real problem for a long time. They extended the corporate network to the employee, usually by placing a trusted tunnel on an unmanaged home network and hoping device posture and user behaviour stayed predictable.

Hybrid work has made that model creak. Users roam between home, office, customer sites, and mobile networks. Applications live across Azure, SaaS, and on-premises. Attackers have become faster at exploiting stolen credentials, legacy authentication, and flat network access.

Microsoft Entra Global Secure Access is a strong signal of where access is heading. It shifts the conversation from network perimeter access to identity-led access, with controls that are easier to standardise across locations and devices. Global Secure Access brings together Microsoft Entra Internet Access and Microsoft Entra Private Access as Microsoft Security Service Edge capabilities, managed through a unified experience. (learn.microsoft.com)

Why the VPN model struggles in hybrid environments

A typical VPN rollout creates three persistent operational issues.

First, it increases implicit trust. Once a user is on the VPN, they often gain broad reachability to internal networks, even if the intention is only to access a small set of applications.

Second, it is a user experience tax. Clients break after operating system updates, split tunnelling decisions confuse teams, and performance varies wildly when backhauling traffic.

Third, it scales poorly during change. Mergers, new sites, and cloud migrations force you to constantly rework routing, firewall rules, and concentrator capacity, just when the business wants fast onboarding.

These weaknesses are not simply annoying. They create conditions for excessive privilege and lateral movement, and they consume help desk time that should be spent on proactive security improvements.

What Entra Global Secure Access changes, in practical terms

Entra Global Secure Access is designed to make access policy the centre of gravity rather than network reachability. It uses traffic-forwarding profiles and cloud-delivered controls to steer user traffic to Microsoft Security Service Edge infrastructure, rather than relying on a traditional VPN concentrator as the single chokepoint. (learn.microsoft.com)

In most environments, the most meaningful shift is how you approach private application access.

Instead of putting the user on the network, Entra Private Access is positioned as a secure way to access internal resources without requiring a VPN. (learn.microsoft.com)

That difference sounds subtle. Operationally, it changes everything.

Moving from network access to application access with Entra Private Access

When teams discuss replacing VPNs, they often focus on the client side. The more important change is the unit of access.

With Entra Private Access, you can target private resources and control access using a Quick Access application, which is supported by a private network connector. (learn.microsoft.com)

That leads to two outcomes security leaders care about:

Reduced blast radius
Access is oriented around defined resources rather than a broad internal address space.

Cleaner governance
It becomes easier to reason about who can reach what, and why.

Quick access to FQDNs and IP addresses without the usual VPN friction

A common VPN complaint is that users do not know which resources require a tunnel, or they connect the VPN “just in case” and keep it on all day.

Quick Access is explicitly designed to make private resource access feel immediate once the Global Secure Access client is installed and routing is configured. (learn.microsoft.com)

In practice, this is where user experience improves.

• Users stop juggling between on and off VPN states
• Internal applications feel more consistent across networks
• IT can standardise access patterns even when users travel or work from home

If you are trying to win executive support for a VPN exit, this is one of the most measurable areas, as it directly translates into fewer “cannot access internal app” tickets.

Enforcing MFA on legacy protocols, without breaking the business

Many organisations still have pockets of legacy authentication in surprising places. Think older mail clients, automation scripts, or applications that never adopted modern auth patterns.

Legacy authentication is consistently abused because it can bypass modern controls when not managed carefully, and it remains a recurring security theme in Microsoft 365 and Entra ID guidance. (dl.managed-protection.com)

Microsoft has also been raising the bar on MFA enforcement in Entra, and guidance around mandatory MFA continues to evolve. (learn.microsoft.com)

A practical approach during a VPN to Global Secure Access transition looks like this:

1. Discover legacy authentication usage
   Use sign-in logs to identify legacy protocols and the user or workload accounts behind them.
2. Segment by risk and business criticality
   Separate genuine operational dependencies from convenience usage.
3. Apply Conditional Access decisions deliberately
   Where possible, require MFA and modern auth. Where not possible, isolate and constrain, then plan remediation.
4. Communicate timelines using dates
   Legacy control patterns and “old portals” tend to linger until teams give owners a clear deadline and an approved alternative.

Case study one: reducing help desk tickets by removing client dependency

This anonymised case is a composite of common enterprise patterns, shared to illustrate what to measure.

A UK-based professional services firm with 1800 staff had a VPN client dependency for three core internal applications.

Before

• Users open the VPN for any internal task, even when not required
• The helpdesk received frequent tickets after endpoint updates
• Access failures were hard to diagnose because the problem could be DNS, split tunnelling, or the concentrator

Transition approach

• Pilot Entra Global Secure Access with Entra Private Access for a defined user group
• Publish private resources via Quick Access so users can reach internal apps predictably (learn.microsoft.com)
• Keep VPN temporarily for edge cases, but set an application-by-application retirement plan

Results observed over eight weeks

• A noticeable drop in VPN client-related tickets, particularly post-patch Tuesday style endpoint changes
• Faster onboarding for new starters because access was tied to identity group membership rather than manual VPN profile configuration

The key measurement was not “VPN removed”. It was “incidents avoided” and “time to restore access” when something went wrong.

Case study two: faster policy integration during a merger

This anonymised case is also a composite, focused on mergers and acquisitions reality.

A manufacturing organisation acquired a smaller business with a separate Active Directory and a mix of on premises apps.

Challenge
The security team needed to grant access to a small set of internal resources quickly, without opening broad network reachability or rushing complex network integration.

Transition approach

• Use Entra Private Access patterns to publish defined private resources rather than extending network access (learn.microsoft.com)
• Standardise MFA expectations early, using Entra ID controls and updated MFA guidance to avoid inheriting weak admin practices (learn.microsoft.com)
• Treat application access policies as integration artefacts that could be reviewed and audited

Results observed over the first month

• Faster access policy alignment than traditional network-based integration
• Reduced pressure on network teams to rush routing and firewall changes simply to enable day one productivity

The security win here was governance. Leadership could clearly see which applications were exposed, to whom, and under what conditions.

Planning the transition: a security first checklist

A successful VPN exit is rarely a single project. It is a controlled sequence of migrations that must keep productivity steady while improving assurance.

Use this checklist to reduce surprises.

Define your target state in plain language

Write a one-page statement answering:

• Which private apps will be reachable through Entra Private Access
• Which internet and SaaS traffic do you want to govern through Entra Internet Access
• Which users, devices, and locations are in scope first

Avoid technical jargon in this document. Your executive sponsor should understand it in two minutes.

Start with a pilot that represents real complexity

Your pilot should include:

• At least one legacy internal app
• At least one remote heavy team
• At least one group that frequently travels

Then measure experience, not just control coverage.

Treat identity hygiene as a dependency

If your identity environment is messy, access transformation will expose it.

Prioritise:

• MFA readiness and enforced coverage, especially for privileged roles (learn.microsoft.com)
• Inventory of service accounts and non-human identities
• Clear Conditional Access standards and ownership

Operational impact on the SOC and why it matters

When you shift away from VPN, you also shift what “normal” looks like in your logs.

Expect changes in:

• Sign-in patterns
• Device and location signals
• Network flow assumptions
• Alert tuning, especially for impossible travel, unfamiliar sign-ins, and legacy auth detections

This is where SOC automation becomes a force multiplier. Whether you use Microsoft native tooling or additional platforms, the goal is the same: triage alerts faster, reduce false positives, and guide analysts through consistent investigation steps.

If you operate Microsoft Sentinel, it is worth considering how you will handle the change at scale, especially if you support multiple environments. For teams looking to implement Microsoft Sentinel SOC automation and accelerate incident triage, tools such as SecQube can complement the shift by helping analysts investigate and respond consistently, even when they are not deep in query language work.

A pragmatic way to talk about success

A VPN replacement programme should not be judged by whether the VPN concentrator is turned off by a certain quarter.

Judge it by outcomes that the board and the help desk both recognise:

• Reduced access-related tickets
• Faster onboarding and merger integration
• Smaller blast radius for internal apps
• Higher confidence MFA coverage, including for awkward legacy corners
• Clearer audit evidence of who can access what

Entra Global Secure Access is not just a new product name. It is a nudge towards a more sustainable access model for hybrid work, where identity, device, and policy drive connectivity, and where security teams can scale governance without constantly fighting the VPN client. (learn.microsoft.com)