Von VPN zu GSA: Praxisberichte und erste Projekterfahrungen de

Global Secure Access – Microsofts identitätsbasiertes Zero Trust Network Access und Secure Web Gateway – ist seit letztem Jahr verfügbar. In den letzten Monaten konnte ich erste Erfahrungen in mehreren Projekten mit Global Secure Access (GSA) sammeln.

In diesem Vortrag teile ich meine Erfahrungen und Erkenntnisse und bespreche die wichtigsten Aspekte nach dem initialen Deployment, darunter:
- Strategien zur Ablösung von VPN
- Koexistenz mit VPN-Agents
- Nutzung von Quick Access und Application Discovery
- Gruppierung von Ressourcen zu Apps
- Connector Groups
- Anzahl und Platzierung
- Skalierung und Redundanz
- AVD und W365
- Was geht, was nicht?
- Kombination mit GSA zur Einbindung Externer
- Umgang mit Webapplikationen
- Entra App Proxy vs. Entra Private Access

Under the Hood: A Troubleshooter’s Guide to Global Secure Access en

Deploying Microsoft’s Security Service Edge (SSE) solution is only the first step. To truly master Global Secure Access (GSA), you need to understand how the traffic flows when things don’t go as planned. In this technical deep dive, we move beyond the marketing slides to explore the inner workings of the GSA client and the service backend.

We will share a systematic troubleshooting methodology for Entra Private and Internet Access, focusing on:

The Client Perspective: Leveraging the built-in diagnostic features of the GSA client to identify local routing conflicts and connectivity issues.

Centralized Visibility: Navigating the logs within the Entra Portal and utilizing Log Analytics to correlate events across your identity and network perimeter.

Advanced Diagnostics: Which external tools should you reach for when dealing with complex performance bottlenecks or latency issues?

Architectural Resilience: How to design and configure your GSA environment to minimize common failure points and reduce the need for manual intervention.

Join us for a session filled with practical insights and "lessons from the field" that will help you move from reactive firefighting to proactive management of your Secure Access environment.

Real world attacks abusing your Entra ID application misconfigurations en

With thousands of applications in any given tenant, application management is not top of mind for IT Pros, and the ease of delegation to developers and business application owners relieves much of the burden on IT - if it ain’t broke, don’t fix it, right?

Unfortunately, this creates a perfect storm for attackers. What seems like innocent delegation or rather simple secret creation can quickly turn into real world attacks on applications, bringing all the pain of things like data exfiltration, lateral movement, and for those offering services, a loss of trust from customers.

In this session we won’t just talk about the theory of attacks but show how easy they are for attackers. But attack demonstrations don’t solve problems; so, we’ll explore the misconfigurations and misconceptions that set the stage for the attack and discuss what organizations should do to protect their applications. Whether you’re an IT Pro, security professional, or developer, this session will be filled with the real defenses you should have in place to protect you from these very real attacks.

How to use Logic Apps to automate tasks in your Entra ID - and how to do this secure en

In this session I want to give an overview of how Logic Apps can help us automate tasks in Entra ID. We will look at the general functionality, a few do's and don'ts and practical examples.
Since with great power comes great responsibility, I will show in the second part what can and should be done to secure the Logic App.

Content:
- reasonable Use Cases
- AAD Connector vs. HTTP Actions with Managed Identity
- Securing the HTTP Trigger
- Evaluating OAuth tokens in Logic Apps to check permissions

Global Secure Access: Gateway to the Edge, Not the Abyss en

Global Secure Access - Microsoft's Security Service Edge Solution - combines an identity-centric Secure Web Gateway with identity-centric Zero Trust Network Access, marking a significant component of modern Zero Trust architecture when utilized properly.

Last year at the Experts Live DK, I’ve discussed the advantages of replacing outdated VPNs with Zero Trust Network Access solutions, such as Entra Private Access. After a year of numerous proof of concepts, pilots, and several deployments, I’m now eager to share more field experiences and the innovations that have emerged since. In addition Microsoft has started to integrate powerful features based on TLS inspection into the Internet Access part of Global Secure Access.

In this demo packed session we will dive into the different features, explore how you can practically leverage them, and what problems can occur. Additionally, we'll discuss which of the many small and major new functions are particularly relevant, which issues they address, and how GSA may evolve in the medium and long term.

Among other advancements, I will discuss and demonstrate these recently introduced features that address key architectural and operational gaps in previous implementations:

- Intelligent Local Access, which enables policy-based access decisions grounded in device and network locality
- Universal Continuous Access Evaluation, delivering near real-time enforcement of access policies across hybrid and multi-cloud environments
- Private Access for Domain Controllers, enhancing identity infrastructure security through isolated and policy-driven connectivity
- TLS Inspection and its extended capabilities, providing deep visibility and control over encrypted traffic for improved threat detection and compliance

Breaking Up with VPN: Boss‑Fight Strategies for a Smooth Entra Private Access Migration en

Global Secure Access (GSA), Microsoft’s Security Service Edge solution, unites identity‑centric Secure Web Gateway and Zero Trust Network Access to deliver a modern, resilient access architecture. When implemented correctly, it becomes a cornerstone of Zero Trust.

Since the earliest public previews, I’ve **pioneered** replacing legacy VPN with Entra Private Access and supported numerous proofs of concept, pilots, and full rollouts. In this demo‑rich session, I’ll share hard‑won lessons from the field and highlight the innovations that have transformed the experience.

We’ll explore practical strategies for migration, uncover common pitfalls, and dive into new capabilities that close critical architectural gaps. Expect hands‑on demos of features such as:

- **Intelligent Local Access** – Policy‑driven decisions based on device and network locality
- **Universal Continuous Access Evaluation** – Near real‑time enforcement across hybrid and multi‑cloud environments
- **Private Access for Domain Controllers** – Protecting Domain Controllers with Zero‑Trust Private Access
- **B2B Guest Access with GSA** – Secure, streamlined access for partners and consultants

Join us to learn what works, what doesn’t, and how these advancements shape the future of secure connectivity.

A comparison: Is Entra Private Access the better VPN? en

We've spent the last few years modernizing clients, kicking them out of Active Directory and optimizing them to run outside the corporate network. The use of modern protocols, conditional access and the integration of MDE and Intune now enables us to access cloud services with access management that largely complies with the principles of zero trust.

However, when it comes to accessing legacy apps in the old data center world, we unfortunately all too often fall back on the old solutions - perhaps enhanced with some SAML and certificates - and features such as microsegmentation and session revocation are sought in vain.

In this session, I will discuss and demonstrate why Microsoft's SSE solution Global Secure Access is much closer to my understanding of Zero Trust Network Access. In addition to network and connectivity topics, I will show how Entra Private Access benefits from integration with Conditional Access, Entitlement Management and Defender/Sentinel in the classic network disciplines of Authentication, Authorization and Accounting.

As a security architect who used to deal intensively with networks and in recent years with identity, I am very much looking forward to a deep dive on the topics of DNS and Single SignOn when accessing the OnPrem environment with Private Access.

Prepare yourself for
* Trafficflow, connector groups and name resolution in multi-datacenter scenarios
* (Passwordless) SSO with Cloud Kerberos Trust
* Granular authorization assignment with self-service through access packages
* Policy design for segmentation through conditional access

Is Entra Connect Sync Still the Best Choice? Let's Sync About It! en

Many of us have done the initial design and deployment of Entra Connect quite some time ago. But besides the regular version updates, what has changed over the last years? Would we do it exactly the same way again?

In this session, we will challenge the presumption that Entra Connect is still required in the modern identity landscape. Can't it be replaced by Entra Cloud Sync?

We will not only highlight the advantages and disadvantages of each solution, but also look at migration or coexistence setups. And we will give you an outlook what to expect in the coming month to better support you in the decision what to do next.

And as the security guys, this session wouldn't be complete without a look at the security implications of both solutions. From lateral movement to available protections we will give insights what to be aware of when protecting these critical components.

The state of passkey at the end of '25 en

Entra ID introduced the first public preview passkey early 2024 and revamped it in October. Now it's December 2025 but where are we in the enterprise passkey journey?

In this session we will explore the past, the present and the future of passkeys not only in Entra ID, but with a look at ecosystem as a whole.

Have you ever asked yourself:

🛡️ What's cross-device or same-device authentication?
🛡️ Why do I need Bluetooth in some scenarios?
🛡️ Is there a difference between Android and iOS?
🛡️ What is this attestation?
🛡️ Should I choose device-bound or synced passkeys?
🛡️ Are passkeys really phishing-resistant?

Then you came to the right talk. We will explain fundamental concepts, dive deeper and compare different options to deploy and use passkeys.

What's New and What's Next in Global Secure Access en

Global Secure Access - Microsoft's Security Service Edge Solution - combines an identity-centric Secure Web Gateway with identity-centric Zero Trust Network Access, marking a significant component of modern Zero Trust architecture when utilized properly.

Now that GSA has been available for just over a year and we've supported various proof of concepts and pilots, let's explore its evolution, how you can practically leverage the new features, and what problems have been resolved. Additionally, we'll discuss which of the many small and major functions on the roadmap are particularly relevant, which issues they address, and how GSA may evolve in the medium and long term.

This session provides a compelling outlook, perfectly following our first GSA session "One year with GSA projects - what we learned so far," which offers more of a retrospective.

How to build an Entra-ordinary Security Monitoring en

Effective security monitoring goes beyond simply enabling Defender products and deploying rule templates. It requires a strategic approach which includes a phased rollout and defined maturity model. This session explores how to start with Defender XDR signals and alerts as a foundation to identify critical threats and go far beyond this with custom detection engineering.

We'll discuss key gaps in the threat landscape, highlighting areas that require adjustment or development for detection engineering in certain areas. Learn how to choose and adjust Analytic Rules to create a well-tuned, actionable rule set while customizing detections from the Content Hub and community solutions.

Alert fatigue is a common challenge — so we'll explore scenario-based incidents using correlation as a more efficient approach to signal management. Additionally, UEBA-driven anomaly detection will be covered, showcasing how behavioral analytics can help identify emerging threats.

Join us to gain practical insights, optimize detection rules, and learn which strategies are effective to achieve a happy SOC by reducing noise and effort in your environment.

Zero Trust - Zero Gap? Spotlight on (new) uncovered aspects of your CA design en

Conditional Access is the heart of Microsoft's Zero Trust implementation as its policy enforcement engine and Microsoft introduces constantly new features to cover more and more use cases and integrations. This includes granular conditions and controls for specific authentication methods, restricted sessions and authentication flows but also new capabilities to re-trigger a policy evaluation.

In this session, we will discuss the latest features and their use cases and also challenges that you may not address in your current ruleset. Starting from automation for deployment, exclusion handling and gap monitoring, up to missing strong policy design to prevent rogue devices or protect privileged users.

The End of Passwords: An Introduction to Passkeys in Entra ID en

In cyber security we had and still have a lot of trouble with passwords. They are, as a single factor, insecure or difficult to remember and overall inconvenient. While password managers solve some part of this problem, widespread adoption in the enterprise is not available. In the end nobody loves passwords, except hackers 😜

But 2024 is the year the password dies! At least we hope so.

In this talk we want to show you how passkeys can replace not only the password but phishable MFA factors as well.

We will delve in the basic´s behind passkeys, explain the technology that makes them so secure but also what different kind of passkeys there are.

In this session we will focus on how passkeys fit into Microsoft Entra IDs ecosystem, our favorite identity provider, but many aspects are applicable to other IdPs as well.

But where there is light, there is also shadows. We will discuss the risk some of the passkey implementations might hold for you as an enterprise and will show counter measures to mitigate or minimize this risk.

Let us all make 2024 the end of the password!

Level 200-300 ~45 minutes

Walk the walk - explore ways to ensure strong authentication in real life scenarios en

Everyone will agree that a solid set of rules for authentication and authorization is one (if not the) cornerstone of a Zero Trust implementation. Furthermore, everyone actually agrees that device compliance and phishing resistant MFA are the best basic measures to implement with Azure Active Directory Conditional Access.

However, when we look at the status quo of many environments we see a different picture and anyone who has tried to roll out these basic measures to all users in a larger environment knows that this is not an easy task.

This session is based on a lot of project experience and shows a collection of strategies, tactics and tools to make a roll-out efficient and as painless as possible.

Topics: Conditional Access, Authentication methods, Logs, Reports & Workbooks, MFA registration methods / policies, Strong Authentication, Passwordless, Zero Trust

Level 200-300, minimum 45 minutes (better more)

1st AID for EID - how to prevent lateral movement to Entra ID when your Active Directory has fallen en

Currently, the biggest threat to an Entra ID tenant in the vast majority of environments comes from the connected Active Directory. Attackers are (currently) focusing heavily on on-prem environments, as these are generally much more difficult to protect and are also in a much worse state. And it's often not far from there to the cloud...

Containment is one of the most important measures in an emergency and usually Entra ID, M365 and Azure are at the top of the list as M365 is very important for crisis communication and Azure can be a good platform for the recovery phase.

In this session, we will discuss the steps necessary to block lateral movement for a full compromise of Entra ID from Active Directory in a reasonable order.

We will then look at your users' accounts, the impact of your actions on their ability to work and how you can make decisions in this situation.

We will also discuss what you can do today to be best prepared for this scenario.

Level 200-300, minimum 45 minutes

Let’s replace your VPN with a real Zero Trust Network Access ! en

We've spent the last few years modernizing clients, kicking them out of Active Directory and optimizing them to run outside the corporate network. The use of modern protocols, conditional access and the integration of MDE and Intune now enables us to access cloud services with access management that largely complies with the principles of zero trust.

However, when it comes to accessing legacy apps in the old data center world, we unfortunately all too often fall back on the old solutions - perhaps enhanced with some SAML and certificates - and features such as microsegmentation and session revocation are sought in vain.

In this session I would like to discuss and show why Microsoft's SSE solution is so much closer to my understanding of Zero Trust Network Access by explicitly checking every session in the network during its establishment, limiting access to the least necessary and disconnecting in case of a breach.

As a security architect who used to deal intensively with networks and in recent years with identity, I am very much looking forward to a deep dive on the topic of Single SignOn when accessing the OnPrem environment with Private Access.

In addition to the way the technology works, you will learn what needs to be considered during POC and rollout and what differences there are to a classic VPN project.

Level 200-300, minimum 45 minutes

Conditional Access in times of Global Secure Access en

Over time, conditional access has taken on an ever-increasing role in corporate access management and is now the (!) policy enforcement engine of a modern Zero Trust architecture. So it's not surprising that Microsoft is also relying on Conditional Access for Global Secure Access and making it the primary point of policy enforcement for Secure Web Gateway and Zero Trust Network Access!

In this session I would like to discuss

* what elements GSA integrates with CA and what features are being added
* how to use CA Policies to configure Entra Internet Access
* how to cleverly structure CA policies for Entra Private Access Apps
* why using GSA also gives you advantages when accessing Microsoft 365 Services Security.
* why there are several connections between GSA and Continuous Access Evaluation.

In addition to the limitations and incompatibilities that you should be aware of in order to design a sensible rule set, I would also like to give you an outlook on the effects that Global Secure Access can have on your existing conditional access rule set.

Based on my previous project experience in this field, I can

* give you an outlook on the impact of a Global Secure Access implementation on the existing Conditional Access rule set.
* report on experiences with the division of labor and collaboration between Global Secure Access Admin and Conditional Access Admin
* present suggestions for sensible policies

Level 300 - 40 minutes