You dont have javascript enabled! Please enable it! Understanding Microsoft Entra Global Secure Access - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

Understanding Microsoft Entra Global Secure Access

10 Min. Read

In this article, we will delve into the details of Microsoft Entra Global Secure Access, a cutting-edge solution that provides robust security and seamless access to resources.

What is Microsoft Entra Global Secure Access?

Microsoft Entra Global Secure Access is a state-of-the-art platform designed to enable secure and efficient access to resources across organizations. It serves as a gateway that allows users to connect to corporate applications, data, and services, regardless of their location.

Microsoft recently unveiled a range of enhanced Security Service Edge (SSE) features as a component of their Microsoft Entra technology suite. Among these developments, Microsoft introduced the public preview of two novel secure remote access technologies, namely Microsoft Entra Internet Access and Microsoft Entra Private Access.

You can access the preview from the Entra Portal at https://entra.microsoft.com/, but if you want to gain access to the private preview as well you need to sign up on this Microsoft form: Microsoft Entra Internet Access Private Preview Interest.

By leveraging modern technologies and advanced security features, Entra Global Secure Access offers a seamless user experience without compromising on data protection.

Microsoft Entra Internet Access

Microsoft Entra Internet Access is a novel cloud-based solution known as Secure Web Gateway (SWG) that aims to safeguard users against potential threats found on the public Internet. Its features comprise web content filtering, malware inspection, TLS inspection, and more. Furthermore, Entra Internet Access protects Microsoft 365 applications, allowing the enforcement of Azure Conditional Access policies for Internet traffic.

Microsoft Entra Internet Access
Microsoft Entra Internet Access (Image credit Microsoft)

With the addition of network conditions to Azure Conditional Access, the solution can fortify against attacks by mandating access from specific trusted or compliant networks.

At the time of this writing, the public preview of Microsoft Entra Internet Access is exclusively available for Microsoft 365 scenarios. However, support for Internet traffic and other SaaS applications will be introduced later this year.

Microsoft Entra Private Access

Microsoft Entra Private Access is a cloud-based solution that utilizes the Azure Application Proxy access model, providing a Zero Trust Network Access (ZTNA) framework. By leveraging Azure App Proxy, administrators can effortlessly publish private web applications that reside on-premises without the need of a VPN client, simply by installing the connector on an on-premises server.

Microsoft Entra Private Access
Microsoft Entra Private Access (Image credit Microsoft)

Through Microsoft Entra ID (formerly Azure AD) authentication and conditional access policies, administrators can ensure device compliance and enforce multifactor authentication (MFA) if necessary. Microsoft Entra Private Access extends the functionality of Azure Application Proxy to accommodate TCP and UDP-based applications, such as RDP, SSH, SMB, and HTTP/S to name a few. Previously, Azure Application Proxy only supported web applications.

The App proxy requires a Windows Server (2012 R2 or later) to run, and the minimum version of the connector required for Private Access is 1.5.3417.0, you can download the latest version directly from this URL. For high availability in your environment, it’s recommended to have more than one Windows server.

You can install and register a connector by going to Global Secure Access > Connect > Connectors and selecting Download connector service.

App Proxy connectors for Microsoft Entra Private Access
App Proxy connectors for Microsoft Entra Private Access

Once you have configured at least one active App Proxy connector, you can start configuring Quick Access by going to Global Secure Access > Applications > Quick Access.

Create a Quick Access application segment
Create a Quick Access application segment

You need to provide a name for the Quick Access app, select a connector group, and add application segments, which include FQDNs and IP addresses.

Related: Step-by-Step – Evaluate Microsoft Entra Private Access.

Key Features and Benefits

Let’s look at the key features and benefits of Microsoft Entra Global Secure Access (preview):

#1 Universal Conditional Access

With Universal Conditional Access, you can utilize Conditional Access policies to safeguard traffic profiles. You can mix and match various controls as needed, such as requiring multifactor authentication (MFA), requiring compliance with device standards, or defining acceptable sign-in risk levels. By applying these controls to both network traffic and cloud applications, we achieve what is known as universal Conditional Access.

Implementing Conditional Access on traffic profiles grants administrators significant control over their security framework. They can enforce Zero Trust principles by using policies to manage network access. The use of traffic profiles ensures consistent application of policies, even for applications that lack support for modern authentication.

This functionality helps to consistently enforce Conditional Access policies based on traffic profiles, extending beyond just applications or actions. You can specifically target traffic profiles like Microsoft 365 or private internal resources with these policies.

Universal Conditional Access
Universal Conditional Access

Users will only be able to access these configured endpoints or traffic profiles when they meet the established Conditional Access policy requirements.

#2 Universal Tenant Restrictions

The functionality of tenant restriction v2 is enhanced by Universal tenant restrictions, which utilize Global Secure Access to tag all traffic regardless of the operating system, browser, or device form factor. This approach supports both client and remote network connectivity, eliminating the need for you to manage proxy server configurations or complex network setups.

With Universal Tenant Restrictions, enforcement is achieved through Global Secure Access-based policy signaling for both authentication and data transmission. Tenant restrictions v2 empowers organizations to prevent data exfiltration by users who utilize external tenant identities for integrated Microsoft Entra ID applications like Microsoft Graph, SharePoint Online, and Exchange Online. These technologies work together harmoniously to universally safeguard against data exfiltration across all devices and networks.

Universal Tenant Restrictions
Universal Tenant Restrictions

Before you can use universal tenant restrictions, you must configure both the default tenant restrictions and tenant restrictions for any specific partners. Check how to set up tenant restrictions v2.

#3 Compliant Network Check

By leveraging Conditional Access in conjunction with Global Secure Access, you can effectively prevent malicious access attempts to Microsoft apps, third-party SaaS apps, and private line-of-business (LoB) applications. This defense-in-depth approach combines multiple conditions, such as device compliance, location, and more, to fortify against user identity or token theft. Within Conditional Access, Global Secure Access introduces the concept of a compliant network alongside continuous access evaluation. The compliant network check ensures that users connect from a trusted network connectivity model specific to their tenant and adhere to security policies enforced by the organizations.

The Global Secure Access Client, installed on devices or configured for remote networks, empowers you to secure resources behind a compliant network with advanced Conditional Access controls. This compliant network simplifies management and maintenance for administrators, eliminating the need to maintain an exhaustive list of an organization’s location IP addresses. Additionally, there is no requirement to route traffic through the organization’s VPN egress points for security purposes.

It’s important to note that the compliant network check is unique to each tenant. This check guarantees that other organizations utilizing Microsoft’s Global Secure Access services cannot access your resources. For example, Contoso can protect services like Exchange Online and SharePoint Online by implementing a compliant network check that restricts access to only Contoso users. If another organization, such as Fabrikam, were to employ a compliant network check, it would not pass Contoso’s specific compliant network validation.

This option is enabled globally at the tenant level under Global Secure Access > Global settings > Session management > Adaptive Access.

Enable Global Secure Access signaling in Conditional Access
Enable Global Secure Access signaling in Conditional Access

Then you can browse to Microsoft Entra ID Conditional Access > Named locations, and confirm you have a new location called All Compliant Network locations with location type Countries. Then you can optionally mark this location as trusted.

Conditional Access | Named locations | Network Access
Conditional Access | Named locations | Network Access

It’s worth mentioning that the compliant network differs from IPv4, IPv6, or geographic location configurations you may configure in Microsoft Entra ID (Azure AD). No administrative upkeep is required for the compliant network check process.

#4 Remote Networks

Global Secure Access offers two connectivity options: installing a client on end-user devices and configuring a remote network, such as a branch location with a physical router. The remote network connectivity feature simplifies how end-users and guests connect from a remote network, eliminating the need to install the Global Secure Access Client.

Remote networks refer to distant locations or networks that necessitate internet connectivity. For instance, many organizations have a central headquarters along with branch offices located in different geographical areas. These branch offices require access to corporate data and services while maintaining a secure connection with the data center, headquarters, and remote workers. Ensuring the security of remote networks holds paramount importance for various types of organizations.

Typically, remote networks, such as branch locations, establish a connection with the corporate network through either a dedicated Wide Area Network (WAN) or a Virtual Private Network (VPN) connection. Employees at branch locations connect to the network using customer premises equipment (CPE).

Before you can set up remote networks, you need to onboard your tenant information with Microsoft. This one-time process enables your tenant to use remote network connectivity.

Onboard your tenant for Remote networks
Onboard your tenant for Remote networks

To establish a connection between a remote network and Global Secure Access, you configure an Internet Protocol Security (IPSec) tunnel between your on-premises equipment and the designated Global Secure Access endpoint. This IPSec tunnel enables the routing of specific traffic through to the nearest Global Secure Access endpoint. Security policies can be implemented and managed within the Microsoft Entra admin center.

#5 Traffic Forwarding Profiles

By utilizing traffic forwarding profiles within Global Secure Access, you can effectively apply policies to network traffic that requires security and management within your organization. The network traffic is assessed against the configured traffic forwarding policies, with the profiles being applied accordingly, and the traffic directed to the appropriate applications and resources.

Traffic forwarding allows you to determine the specific types of network traffic that should be tunneled through the Microsoft Entra Private Access and Microsoft Entra Internet Access services. Profiles are established to govern the management of distinct traffic categories.

First, you need to enable traffic forwarding on your Microsoft 365 profile and/or Private access profile under Global Secure Access > Connect > Traffic forwarding. Then select the checkbox for the profile.

Enable Traffic forwarding (Global Secure Access)
Enable Traffic forwarding (Global Secure Access)

When traffic passes through Global Secure Access, it undergoes evaluation starting with the Microsoft 365 profile and then progressing to the Private access profile. If any traffic does not match these initial profiles, it is not forwarded to Global Secure Access.

For each traffic forwarding profile, three key details can be configured:

  1. What traffic to forward to the service?
  2. What Conditional Access policies to apply?
  3. How do your end-users connect to the service?

You also need to download the Global Secure Access client on an endpoint, which at the moment supports only Windows 10/11 Enterprise OS.

The device must be Azure AD joined or Hybrid Azure AD joined to a tenant that has been onboarded to Global Secure Access. You need an Internet connection to Azure AD and the Global Secure Access service, and you need local administrator permissions during the client installation.

#6 Logs and Monitoring

As an IT administrator, it is essential to monitor the performance, user experience, and availability of the traffic traversing your networks. The Global Secure Access logs offer a multitude of data points that can be analyzed to gain valuable insights into your network traffic.

We have three types of logs:

> Audit logs: The audit log of Microsoft Entra ID serves as a valuable resource for gathering information and troubleshooting within your Microsoft Entra ID environment. Within the audit logs, changes associated with Global Secure Access are recorded across multiple categories, including filtering policy, forwarding profiles, remote network management, and other relevant areas.

> Traffic logs: The traffic logs within Global Secure Access offer a concise overview of the network connections and transactions transpiring within your environment. These logs provide insights into the individuals accessing specific traffic, along with the origin and destination of such connections, as well as the outcome. By capturing a snapshot of all connections in your environment, the traffic logs further categorize the information based on the traffic that aligns with your traffic forwarding profiles. Within the logs, you can find pertinent details such as the traffic type, destination, source IP, and more.

> Enriched M365 logs: The Enriched Office 365 logs provide you with the necessary information to acquire valuable insights into the performance, user experience, and availability of the Microsoft 365 applications utilized within your organization. These logs can be seamlessly integrated with a Log Analytics workspace and Microsoft Sentinel, or a third-party Security Information and Event Management (SIEM) tool, enabling you to conduct comprehensive analysis and investigation. First, you need to enable and connect Office 365 activity logs to Global Secure Access under Global Settings> Logging.

At the time of this writing, SharePoint Online is available to collect logs, and Teams and Exchange are on the way.

Enriched Microsoft 365 logs​
Enriched Microsoft 365 logs​

Please note that it can take up to 72 hours for integration to complete.​ You can use Microsoft Entra ID diagnostics settings to export the data.

The Global Secure Access network traffic dashboard presents visual representations of the traffic flowing through the Microsoft Entra Private Access and Microsoft Entra Internet Access services, encompassing Microsoft 365 and Private Access traffic. This dashboard offers a comprehensive overview of deployment data and insights. Within these categories, you can observe the number of users, devices, and applications encountered within the past 24 hours. Additionally, device activity and cross-tenant access can be monitored through this dashboard.

Global Secure Access network traffic dashboard
Global Secure Access network traffic dashboard

How Does Microsoft Entra Global Secure Access Work?

The diagram below illustrates the high-level architecture of Microsoft Entra Global Secure Access (Entra Private Access):

Global Secure Access app
Global Secure Access app (Image credit Microsoft)

When a user requests access to corporate resources, Entra Global Secure Access acts as the gateway, authenticating the user’s identity. It verifies the user’s credentials and permissions before granting or denying access. If permission is granted, the user gains access to the requested resources, ensuring a secure and seamless experience. In cases where access is denied, Entra Global Secure Access blocks unauthorized attempts, maintaining the integrity of the organization’s data.

Enhanced Security

Entra Global Secure Access prioritizes security, making it a top choice for organizations that value data protection. The platform incorporates multi-factor authentication, encryption, and threat intelligence capabilities to safeguard sensitive information. It ensures that only authorized users can access resources, mitigating the risk of unauthorized access and potential data breaches.

Global Accessibility

With Entra Global Secure Access, geographical boundaries are no longer an obstacle to productivity. The platform enables users to connect to resources from anywhere in the world, facilitating seamless collaboration and remote work. Whether employees are working from home, on the road, or in a different office, Entra Global Secure Access empowers them to access corporate resources effortlessly.

Scalability and Flexibility

Microsoft Entra Global Secure Access caters to organizations of all sizes, offering scalable solutions to meet varying demands. It provides flexible deployment options, allowing businesses to choose between cloud-based or on-premises setups based on their specific requirements. This adaptability ensures that Entra Global Secure Access can accommodate organizations at different stages of growth.

Streamlined Management

Managing access to resources can be complex, especially in large enterprises. Entra Global Secure Access simplifies this process through centralized management capabilities. Administrators can efficiently control user permissions, define access policies, and monitor user activity from a single console. This streamlined management approach enhances security and reduces administrative overhead.

Conclusion

In this article, we explored the intricacies of Microsoft Entra Global Secure Access, a cutting-edge solution that combines security and accessibility. With its enhanced security features, global accessibility, scalability, and streamlined management capabilities, Entra Global Secure Access stands as a powerful tool for organizations seeking secure and efficient resource access.

Microsoft Entra Internet Access and Microsoft Entra Private Access form part of Microsoft’s Security Service Edge (SSE) offering. Both solutions are collectively referred to as Global Secure Access. Global Secure Access serves as the unified hub within the Microsoft Entra admin center and is constructed on the fundamental principles of Zero Trust, emphasizing the use of least privilege, verifying explicitly, and assuming breach.

Learn more about Microsoft Entra Security Service Edge (SSE) solutions.

FAQs

What does the service cost?

At the time of this writing, the Global Secure Access services are still in preview, and prices have not been published yet.

Can I publish any internal applications?

Yes, but at the time of this writing, it only supports TCP-based service, and all TCP-based connections are wrapped in a reverse TCP-based tunnel, so you need to expect a bit of slow performance. UDP support is in development.

What kind of clients are supported?

At the time of this writing, only Windows clients are supported. The Global Secure Access Client is supported on 64-bit versions of Windows 11 or Windows 10. Additional client versions will be released in the upcoming months.

What is the difference between Private Access and Always On VPN?

Microsoft Entra Private Access presents a highly appealing alternative to Always On VPN, particularly for organizations utilizing native Azure AD join devices. The implementation of Microsoft Entra Private Access is considerably simpler compared to Always On VPN, as it necessitates no on-premises infrastructure aside from the Application Proxy connector.

Additionally, by employing Microsoft Entra Private Access, there is no need for inbound access from the Internet, resulting in enhanced security and a reduced public attack surface. However, for organizations utilizing hybrid Azure AD join, Always On VPN remains the preferred Microsoft solution for these specific scenarios.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 20+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.
Previous

How to Fix Infected MS Outlook Data in 2 Simple Steps

AI-102 Exam Study Guide: Azure AI Engineer Associate Certification

Next

10 thoughts on “Understanding Microsoft Entra Global Secure Access”

Leave a comment...

  1. Are known problems and solutions available? If I try to create a Quick Access Application, it failed with error:

    “Failed to create default access application because one already exists”

  2. Hello Bento, thanks for the comment!
    Quick questions:
    > Is the Application proxy disabled or enabled for your tenant?
    > Do you have any existing Access Application that you created before?
    Since it’s a new service in preview, I would assume there are some known issues.
    If the issue still persists in the next couple of days, I would suggest to open a support case with Microsoft.
    Hope it helps!

  3. I have Private access setup in my environment. Works well, except I can not get the Global secure Access client to work while on cell on my windows 11 laptop. Do you know if there is a fix for this?

  4. Hello Nsanford, thanks for the comment!
    You mentioned that the Global secure Access client is working well on your Windows 11 laptop over LAN/Wi-Fi but not through Hotspot/4G/5G, right?
    Could you please share the error that you are seeing and elaborate further?
    The Global Secure Access Client is supported on 64-bit versions of Windows 11 or Windows 10 with Microsoft Entra ID Premium P1 license. I am sure that you meet those requirements.
    Furthermore, connecting to networks that use a captive portal, like some guest wireless network solutions, might fail. As a workaround you can pause the Global Secure Access Client as described in the troubleshooting section.
    Hope it helps!

  5. How does the web content filtering provided by this, interact with the web content filtering provided by Defender for Endpoint?

  6. Hello Dean, thanks for the comment!
    Microsoft Entra Internet Access and Microsoft Entra Private Access work side-by-side with Microsoft Defender for Endpoint. These solutions complement each other.
    Microsoft Entra Internet Access isolates the traffic for Microsoft 365 applications and resources, such as Exchange Online and SharePoint Online.
    And Microsoft Entra Private Access provides a secure, zero-trust access solution for accessing internal resources without requiring a VPN.
    There is no conflict between Microsoft Entra Global Secure Access and Defender for Endpoint.
    Hope it helps!

  7. Great content. Works well in my environment in terms of Quick access but when configuring an Enterprise application (e.g. mstsc.exe in my case) it does not work.

    –> Error 0x904 Extended error 0x7

    VPN is no longer needed. ;-)

  8. Hello Sebastian, thank you for the comment and the feedback!
    Yes, VPN is no longer needed with Microsoft Entra Private Access :-)
    In regard to the error that you are seeing, Microsoft has documented some known limitations when configuring Per-app Access using Global Secure Access applications:
    –> You need to avoid overlapping app segments between Quick Access and Global Secure Access apps.
    –> Tunneling traffic to Private Access destinations by IP address is supported only for IP ranges outside of the end-user device local network subnet.
    –> At this time, Private Access traffic can only be acquired with the Global Secure Access Client. Remote networks can’t be assigned to the Private access traffic forwarding profile.
    Could you please verify above points?
    Hope it helps!

Let me know what you think, or ask a question...