From VPNs to private access and posture checks
Practitioners recommend migrating from legacy VPNs to zero‑trust private access models that bind identity to session context, and emphasise continuous device posture checks beyond initial login. That shift requires Entra Private Access‑style access policies plus runtime posture telemetry so real‑time context can influence session decisions. For detection engineers the task is to normalise Entra access logs and posture signals into per‑tenant risk scoring and to reflect posture changes in notables. (Richard Hicks) (Versa Networks)
A virtual private network was built for a world where getting “inside the network” was the goal. Microsoft now describes Entra Private Access as a way to replace that model with per-app access, so a user reaches one internal service instead of landing on a whole private network. (learn.microsoft.com) That changes the basic security question from “are you on the tunnel” to “should this person on this device reach this app right now.” Microsoft’s Conditional Access system evaluates who the user is, what app they want, and which conditions apply before access is granted. (learn.microsoft.com) The weak spot in old remote access is that the big check often happens once, at sign-in. Microsoft’s continuous access evaluation model rechecks important changes during the session, and its documentation says critical events are enforced in near real time, with up to 15 minutes of latency possible for some events. (learn.microsoft.com) Device posture is the missing half of that picture. Microsoft’s device compliance guidance ties access to concrete checks like whether a device meets configuration requirements, and Versa argues that identity by itself is incomplete without ongoing device posture. (learn.microsoft.com) (versa-networks.com) Think of device posture like a rental car inspection that keeps running after you leave the lot. A laptop can be healthy at 9:00 a.m. and lose encryption, endpoint protection, or policy compliance at 11:00 a.m., which is why Versa pushes continuous endpoint profiling instead of a one-time pass. (versa-networks.com) Microsoft has started wiring that idea into the network path itself. Universal Continuous Access Evaluation in Global Secure Access revalidates access whenever a connection to a new application resource is established, so session decisions can change as context changes. (learn.microsoft.com) That is why practitioners like Richard Hicks keep framing Entra Private Access as more than “a new virtual private network.” Hicks’ recent Entra material focuses on migration from classic virtual private network technology to zero trust network access, with coexistence plans for companies that cannot rip out remote access in one step. (directaccess.richardhicks.com) (redmondmag.com) For security operations teams, the hard part starts after the policy is written. Microsoft’s Global Secure Access stack exposes audit logs and network traffic logs, and continuous access evaluation has its own sign-in reporting, which means defenders have to join identity events, app access events, and posture changes into one timeline. (learn.microsoft.com 1) (learn.microsoft.com 2) A raw sign-in log is not enough if the laptop fell out of compliance 20 minutes later. The practical detection job is to normalize those Entra events per tenant, score the risk of each session, and raise a notable when posture changes should trigger reauthentication, reduced access, or a cut-off. (learn.microsoft.com 1) (learn.microsoft.com 2) The end state is less like handing out building keys and more like checking a badge at every locked door. One person, one device, one app, one moment of context — and if any of those facts change, the session can change with them. (learn.microsoft.com)
