On June 3, 2026, Microsoft published a customer story detailing how Shinsei Technos, a Japanese construction engineering firm, overhauled its remote access security by deploying Microsoft Entra Internet Access and Microsoft Entra Private Access. The move replaces legacy VPN infrastructure with identity-centric, zero trust network access, specifically targeting the challenges of hybrid workforces that blend office employees, field engineers, and short-term subcontractors across numerous project sites.

Shinsei Technos specializes in designing and maintaining complex industrial plants, often with teams that shift between office, home, and temporary on‑site offices. Like many construction and engineering organizations, the company struggled to provide timely, secure access to internal applications and data without burdening a transient workforce with cumbersome VPN clients and bespoke firewall rules. The Microsoft solution, part of the growing Entra product family, delivers context‑aware, policy‑driven connectivity that is completely transparent to end users.

The Hybrid Construction Challenge

The construction sector has undergone a rapid digital transformation, adopting Building Information Modeling (BIM), drone‑captured site imagery, real‑time collaboration platforms, and cloud‑hosted project management tools. However, while the applications have modernized, the method of connecting workers to these resources has often remained stuck in the VPN era. That creates multiple pain points:

  • Temporary and contract workers require immediate access but lack corporate‑managed devices, making traditional VPN onboarding slow and risky.
  • Field sites often rely on spotty internet connections; VPN tunnels that drop and reconnect disrupt productivity.
  • Strict compliance mandates in heavily regulated industries require granular access controls and audit trails that are difficult to enforce with network‑centric VPNs.
  • Shadow IT grows when employees circumvent slow VPN connections to get work done, exposing sensitive project data to unmanaged cloud storage.

Shinsei Technos faced each of these issues acutely. Project managers needed to share large design files with subcontractors who might only work on a site for a few weeks. Engineers wanted to securely reach on‑premises legacy applications from home. And the IT team sought a way to enforce conditional access that could distinguish between a fully managed company laptop in the office and a personal device connected over public Wi‑Fi.

Microsoft Entra Internet Access and Private Access Explained

Microsoft’s answer is a pair of tightly integrated services that sit within the broader Global Secure Access platform, which itself is part of the Microsoft Entra identity and access management family (formerly Azure Active Directory). Together, they form a Secure Access Service Edge (SASE) framework anchored on identity rather than network perimeters.

Entra Internet Access

Entra Internet Access is a secure web gateway that protects against internet‑based threats by routing all outbound web traffic through Microsoft’s global network. It enforces Microsoft Entra Conditional Access policies, meaning that access to any SaaS application or web destination can be gated by user risk level, device compliance, location, and real‑time session signals. For Shinsei Technos, this means a field worker’s attempt to access a cloud‑hosted BIM platform is only permitted if the device meets the company’s minimum security standards and the user’s identity has been authenticated through multifactor authentication—without requiring a dedicated VPN tunnel.

Entra Private Access

Entra Private Access replaces legacy VPNs by providing Zero Trust Network Access (ZTNA) to private, on‑premises resources. It works by deploying a lightweight connector inside the organisation’s network that proxies traffic to internal applications. Users connect through the Entra client or a browser, and every access request is evaluated against the same Conditional Access engine. No inbound firewall ports need to be opened, and applications are never exposed directly to the internet. For Shinsei Technos, this meant retiring multiple VPN concentrators and giving temporary workers browser‑based access to critical line‑of‑business applications without installing anything beyond the standard Microsoft 365 suite.

Both services rely on Microsoft’s massive global backbone, which reduces latency and improves reliability—critical for construction sites where connectivity may be intermittent. The entire experience is unified under the Entra admin center, allowing IT teams to set a single security posture that spans cloud and on‑premises environments.

Shinsei Technos’ Zero Trust Journey

According to Microsoft’s published narrative, Shinsei Technos initiated its zero trust migration with a clear set of goals: eliminate standing VPN credentials, reduce the attack surface, and improve the user experience for a fluid, distributed workforce. The project was phased to minimize disruption.

Phase 1: Identity consolidation — The company moved all user identities to Microsoft Entra ID (Azure AD) and enforced phishing‑resistant multifactor authentication for all employees and external collaborators. Every account, whether belonging to a permanent staff member or a temporary subcontractor, is now governed by Conditiional Access policies.

Phase 2: Internet Access rollout — The IT team deployed Entra Internet Access to protect all outbound web traffic from managed devices. They configured policies that block high‑risk websites, restrict file uploads to unapproved cloud storage, and enforce data loss prevention (DLP) controls. Because the service integrates with Microsoft Defender for Cloud Apps, the company gained visibility into shadow IT usage across all project sites.

Phase 3: Private Access migration — This was the most transformative step. The team identified 80+ internal legacy applications that were previously reachable only via VPN. They installed connectors in the corporate data center and published each application through Entra Private Access. Access is granted on a per‑application basis, not a network segment. For instance, a subcontractor may be allowed to reach the project document management system but is completely blocked from the finance ERP.

Implementation and Key Outcomes

The deployment, as described in the customer story, delivered measurable results within the first quarter:

  • VPN elimination: Shinsei Technos decommissioned all remote access VPN infrastructure, removing a high‑maintenance attack surface and saving on licensing and hardware costs.
  • Faster onboarding: Temporary workers now receive access to essential applications within hours of identity provisioning, down from days of VPN client installation and troubleshooting.
  • Improved security posture: With continuous access evaluation, sessions are automatically terminated if user risk increases (e.g., an anomalous sign‑in is detected), something impossible with static VPN tunnels.
  • Simplified audits: All access events are logged in Microsoft Sentinel, providing a unified audit trail for regulatory compliance, including Japan’s Act on the Protection of Personal Information.
  • User satisfaction: Field engineers report higher productivity because they no longer wait for VPN connections to establish; applications load natively through the Entra agent or browser.

The story also highlights a significant cultural shift. Because zero trust principles are now embedded into daily workflows, employees have become more conscious of security without feeling restricted. The IT service desk saw a 40% reduction in tickets related to remote access, freeing staff to work on proactive improvements.

Industry Implications and Microsoft’s Vision

Shinsei Technos is not an isolated case. Microsoft has been aggressively positioning Entra Internet Access and Private Access as the natural successor to traditional VPNs—not just for office workers but for frontline industries like construction, manufacturing, and retail. The announcement underscores several strategic themes:

  • Convergence of identity and network security. By making identity the control plane, Microsoft eliminates the need for separate VPN infrastructure. Every access decision is informed by real‑time signals from the identity provider.
  • Frontline worker enablement. The construction sector, with its high churn of temporary staff and extreme mobility, is a stress test for any access solution. Success here serves as proof of concept for other asset‑intensive industries.
  • SASE at scale. Microsoft’s global network, which already carries a significant portion of the world’s internet traffic, becomes the backbone for private app connectivity, offering performance that on‑premises VPN appliances cannot match.

Analysts note that Microsoft is competing directly with established SASE vendors like Zscaler and Netskope, as well as with SD‑WAN providers, by integrating these capabilities into the Microsoft 365 and Entra subscriptions that enterprises already own. For organizations deeply invested in Microsoft ecosystem, the incremental cost and integration advantages are compelling.

Looking Ahead

The Shinsei Technos case study is likely the first of many Microsoft will publish to demonstrate zero trust network access in non‑traditional office environments. Future enhancements, hinted at in the Microsoft 365 roadmap, include deeper IoT integration for construction machinery and AI‑driven adaptive policies that learn typical user behavior to automatically adjust access privileges.

For Windows administrators and IT decision‑makers, the takeaway is clear: the era of the VPN is rapidly closing. Identity‑based, cloud‑delivered secure access is not only more secure but also fundamentally better aligned with the modern hybrid work reality. Shinsei Technos’ experience provides a blueprint for how even companies with complex, high‑turnover workforces can achieve both security and simplicity.

Microsoft has not released the full technical implementation details publicly, but the customer story serves as a validation point for Entra’s capabilities. As more organizations in construction, engineering, and field services explore zero trust, the lessons from Shinsei Technos—focus on identity, start with a quick win like internet access, and then tackle legacy private apps—will guide their journeys.