Ready to take your network security to the next level? Discover how the latest features in the Entra Suite integrate modern identity, endpoint, and network access controls, all built on the principles of Zero Trust.
Microsoft Entra Internet Access and Private Access have just gone to GA, adding robust features to the Entra Suite that significantly enhance network security. By integrating modern identity, endpoint, and network access controls, these services are built on the principles of Zero Trust. They leverage Microsoft’s advanced security technologies to secure access to both public and private resources, irrespective of user location.
Microsoft Entra Internet Access and Private Access are part of Microsoft’s Security Service Edge (SSE) solution. The unifying term for these services is Global Secure Access (GSA), which ensures comprehensive management and evaluation of all network-level traffic from clients, beyond just browser traffic.
When it comes to traffic forwarding with GSA, it’s crucial to understand that the traffic forwarded to Entra Edge encompasses all network-level traffic from the client, not just browser traffic. This comprehensive approach ensures that all data transmissions are securely managed and evaluated.
Entra Internet Access
- Internet Access enables secure connectivity from a machine with the Global Secure Access client.
- The connection goes through the Entra Edge, where conditional access can be applied.
- This setup allows for various restrictions to protect users from potential threats or undesirable sites.
Entra Private Access
- The Global Secure Access client also facilitates Private Access.
- For TCP or UDP connections, it establishes a secure tunnel to the Entra Edge.
- Conditional access is applied, ensuring a constantly verifiable connection to backend resources.
Entra Suite Components
- The newly announced Entra Suite integrates several components.
- Priced at $12 per month, the suite includes:
- Entra ID Protection: A P2 feature providing basic ID capabilities.
- Entra ID Governance: A separate component that requires additional licensing even if P2 is owned.
- Entra Verified ID: Ensures secure and verified identification.
- Internet Access: Part of the Global Secure Access.
- Private Access: Also part of the Global Secure Access.
- Note: To utilize these features, a P1 license is required as a foundation.
Overall, the Entra Suite offers comprehensive security and access management solutions for an additional $12 per month, building on existing P1 capabilities. Entra Suite is also included in the Microsoft 365 E3 and E5 licenses.
Traffic Profiles
Traffic forwarding in GSA allows organizations to manage and secure network traffic by applying specific policies. Traffic is evaluated and routed through the service to the appropriate applications and resources.
- Microsoft Traffic Forwarding Profile: This profile includes traffic for Microsoft apps like Entra ID, Microsoft Graph, SharePoint Online, and Exchange Online2. Traffic can be forwarded or bypassed based on workload groups.
- Private Access Profile: This profile routes traffic to private resources using fully qualified domain names (FQDNs) and IP addresses. It requires configuring Quick Access and is forwarded through the Global Secure Access desktop client.
- Internet Access Profile: This profile routes traffic to the public internet, including SaaS apps. It uses a pre-populated list of regular expressions for FQDNs and IP addresses and is also forwarded through the Global Secure Access desktop client.
GSA Agent and Remote Network
The GSA agent is a lightweight software component installed on endpoints. It acts as an intermediary between the user’s device and the GSA service. When you use the GSA agent, traffic from the endpoint is securely forwarded to the GSA service for evaluation and policy enforcement.
Use Cases:
- Windows & Android Devices: Deploy the GSA agent on Windows & Android devices (laptops, tablets, etc.) to ensure secure access to corporate resources while users are on the move.
- Endpoint Security: The GSA agent provides additional security features, such as posture assessment and device health checks.
- Granular Control: You can apply policies specific to individual endpoints based on user roles, location, or other criteria.
Remote networks refer to networks inside and outside the corporate perimeter, such as virtual networks, branch offices, partner locations, or home networks. Instead of using the GSA agent, you can configure remote networks to route traffic directly to the GSA service.
Use Cases:
- Virtual Networks: Configure all traffic from Azure VNets to be forwarded to Entra Edge
- Branch Offices: Set up remote networks for branch offices to ensure consistent security policies across all locations.
- Third-Party Networks: If your organization collaborates with external partners, configure their networks as remote networks to allow secure access.
- Home Offices: For remote workers, configure their home networks as remote networks to maintain security even when they work from home.
Remember that the choice between the GSA agent and remote networks depends on your specific requirements, security posture, and user scenarios.
Universal Tenant Restrictions
A key feature of Microsoft Entra Internet Access is universal tenant restrictions which helps prevent data exfiltration by users leveraging external tenant identities for Microsoft Entra-integrated applications like Microsoft Graph, SharePoint Online, and Exchange Online. These technologies work in unison to prevent data exfiltration across all devices and networks.
All traffic is tagged, regardless of the operating system, browser, or device form factor. This feature supports both client and remote network connectivity, eliminating the need for administrators to manage proxy server configurations or complex network setups.
Universal Tenant Restrictions enforce policies using GSA-based signalling for both the authentication plane (generally available) and the data plane (preview).
Web Content Filtering
Web content filtering empowers organizations to implement granular Internet access controls based on website categorization.
Microsoft Entra Internet Access’s Secure Web Gateway (SWG) features include web content filtering based on domain names. Microsoft integrates granular filtering policies with Microsoft Entra ID and Microsoft Entra Conditional Access, resulting in user-aware, context-aware, and easy-to-manage filtering policies.
Currently, the web filtering feature supports user- and context-aware Fully Qualified Domain Name (FQDN)-based web category filtering and FQDN filtering.
By integrating web content filtering with Microsoft Entra ID and Conditional Access, organizations can enforce granular and contextually aware internet access controls, enhancing security and management of web traffic.
Conclusion
In conclusion, the introduction of Microsoft Entra Internet Access and Private Access as part of the Global Secure Access (GSA) solution marks a significant advancement in network security. By seamlessly integrating modern identity, endpoint, and network access controls, these services embody the principles of Zero Trust, ensuring secure connectivity to both public and private resources regardless of user location.
The Entra Suite enhances Microsoft 365 E3 and E5 licenses by offering comprehensive security and access management solutions. Key features like the GSA agent, configurable traffic profiles, and universal tenant restrictions enable organizations to secure and manage network traffic with unparalleled precision and flexibility.
With the capability to route all network-level traffic through Entra Edge, Microsoft Entra Internet Access and Private Access provide robust protection against potential threats, enforcing granular and context-aware policies across various endpoints and remote networks. This holistic approach to network security, complemented by advanced web content filtering and continuous conditional access, makes GSA an indispensable tool for modern enterprises striving for optimal security and efficiency.
Embrace the future of network security with Microsoft Entra Internet Access and Private Access and unlock the full potential of Global Secure Access to safeguard your organization’s digital landscape.
I’ve followed up this introduction to GSA with some deep dive blogs that look further into configuring Microsoft Entra Internet Access, Universal Tenant restrictions, and Web Content filtering.