Introduction
The way people conduct their work has undergone a transformation. Rather than adhering to conventional office setups, individuals now have the flexibility to work from virtually any location. As applications and data make their way to the cloud, there arises a need for a contemporary workforce to have a security infrastructure that is both identity-aware and cloud-based. This emerging category of network security solutions is referred to as Security Service Edge (SSE) which is a standalone subset of Secure Access Service Edge (SASE).
The primary objective of SASE architecture is to deliver a user experience that is both smooth and secure, ensuring optimized connectivity. This approach is designed to accommodate the ever-evolving secure access requirements of modern digital enterprises. Instead of funneling traffic back to conventional data centers or private networks for security assessments, SASE empowers devices and remote systems to effortlessly reach applications and resources from wherever they are, at any given moment.
Within Microsoft's Security Service Edge offering, you'll find two key components: Microsoft Entra Internet Access and Microsoft Entra Private Access. These two elements collectively fall under the umbrella term "Global Secure Access," which is currently in preview. Global Secure Access serves as a centralized hub within the Microsoft Entra admin center, and it is built upon the fundamental tenets of the Zero Trust security model. This approach emphasizes the principles of providing the least privilege, explicit verification, and the assumption of a potential breach.
In this blog post, we will delve into Microsoft's Global Secure Access solution, focusing on Entra Internet access to M365 apps but before we do, let's talk about some of the key core concepts.
Understanding the Concepts
Before we dive into the specifics of Microsoft's Global Secure Access, let's familiarize ourselves with some essential concepts:
SASE - Secure Access Service Edge
SASE is a comprehensive approach to network security that combines network connectivity and security functions into a single cloud-based service. It provides secure access to cloud applications, data centers, and the internet from anywhere.
ZTNA - Zero-trust Network Access
ZTNA is a security model that verifies explicitly and continuously validates access requests based on received signals. It assumes zero trust and requires strong authentication and device compliance.
CASB - Cloud Access Security Broker
CASB solutions allow organizations to monitor and control interactions between users and cloud applications, ensuring security measures like blocking file downloads and preventing data loss.
SWG - Secure Web Gateway
SWG solutions protect organizations from internet threats by blocking access to certain URLs, filtering content, and preventing access to specific website characteristics.
FWaaS - Firewall as a Service
FWaaS leverages cloud-based firewalls to protect networks and applications without the need for on-premises hardware.
SD-WAN - Software Defined Wide Area Network
SD-WAN is a technology that enables users to connect to a cloud provider's global network, eliminating the need for traditional MPLS connections.
SSE - Security Service Edge
SSE encompasses all the above services but excludes SD-WAN, providing a comprehensive security framework for organizations.
The Legacy Problem: VPNs
Traditional VPNs connect users to network segments rather than specific applications. This can pose a security risk, as attackers with credentials can gain access to multiple resources, potentially leading to reconnaissance and lateral movement. VPNs also suffer from issues related to scalability, performance, and redundancy.
Microsoft's Approach: Global Secure Access
Microsoft's Global Secure Access solution is designed to address the shortcomings of legacy VPNs and provide enhanced security and accessibility. Here's what sets it apart:
Advantages of Security Service Edge (SSE)
Microsoft's SSE overcomes these challenges:
Clients connect to the nearest Point of Presence (POP), ensuring optimal performance.
Cloud scalability, performance, and redundancy are built in.
Access is provided to cloud apps, websites, on-premises apps, and multi-cloud environments.
Security controls like FWaaS, SWG, and DLP are available as needed.
SSE addresses security concerns by aligning security measures with modern digital environments, where workloads, devices, and users are always moving, and traditional perimeter-based security models are no longer effective.
SSE Cloud Provider Requirements
To be effective, SSE solutions require:
A fast, reliable, and secure global network.
Geolocated Points of Presence (POPs) for efficient access.
High-performance, reliable, and scalable virtualized services.
Identity and access management based on a zero-trust framework.
State-of-the-art threat intelligence.
Microsoft ticks all these boxes, making it a trusted choice for organizations seeking secure global access.
Client-to-App Connectivity
In Microsoft's SSE solution, clients authenticate through Entra ID Auth & CA to create a secure, authenticated tunnel to the service edge. Traffic forwarding profiles determine which traffic is routed via the global secure network, with additional security controls applied, as necessary. This results in secure access to M365, cloud SaaS apps, internet websites, on-premises apps, and multi-cloud environments.
Adding layers to the onion
Devices must be either Microsoft Entra joined or Microsoft Entra hybrid joined, registered devices are not supported. Adding an additional layer of protection within the prerequisites means it's much harder for attackers to take advantage of the solution, unlike a traditional VPN where a configuration and credentials can be stolen and used on virtually any device.
Branch Office Solution
For branch offices, remote network links using IPsec/IKEv2 from Customer Premises Equipment (CPE) to the edge provide the same features. Border Gateway Protocol (BGP) is used to advertise routes efficiently.
Current challenges of remote networks
Remote networks are typically connected using methods such as site to site virtual private networks (S2S VPN) or through a dedicated Wide Area Network or Multi-Protocol Label Switching (MPLS). The problem with these traditional technologies is that they are difficult to scale and with the addition of more and more Sofware as a Service (SaaS) applications such as Microsoft 365 the requirements for low latency and jitter-less communications is ever growing.
How does it work?
Connecting remote networks to Global Secure Access is achieved by configuring an IPSec tunnel between your on-premises equipment and the Global Secure Access endpoint. This will then force all traffic you specify through the tunnel to the nearest endpoint and allow you to apply security policies from the Entra admin portal.
Why remote networks?
The alternative method for using Global Secure Access is to install the GSA client on each device but if you have static devices and users or devices are based in a physical location then remote networks removes the hassle of deploying the client to many devices. In addition, the client is currently only supported for Windows 10/11 if you have other devices such as Linux, cameras, printers, etc then the traffic from these devices can also be monitored and secured via the Global Secure Access tunnel and endpoint.
New CA Features
Microsoft's latest Conditional Access (CA) features allow organizations to fine-tune their security policies based on traffic type:
For M365 traffic, specific CA policies can be imposed to target traffic to those apps.
Internet traffic can follow a distinct policy targeting Internet traffic profiles.
Private traffic can also utilise a distinct policy targeting Private app traffic profiles within policies.
A new Condition within Locations has been added 'All Compliant Network locations' which encompasses the ZTNA edge network. With this location we can configure custom policies that, for example, would block access to resources unless connected to the SSE.
Implementing Microsoft Entra Internet Access for Microsoft 365 traffic
Entra Internet Access allows you to isolate the traffic for Microsoft 365 applications and resources, such as Exchange Online and SharePoint Online. Users can access these resources by connecting to the Global Secure Access Client or through a remote network, such as a branch office location.
So, what are the key features and why would do you need this solution?
Optimised Connectivity: Entra Internet Access optimizes connectivity to Microsoft 365 services. It ensures that users can access these services with minimal latency and network congestion, resulting in a smoother and more efficient user experience.
Global Reach: Microsoft has a vast network of data centers and Points of Presence (POPs) worldwide. Entra Internet Access leverages this global reach to provide reliable access to Microsoft 365 services from anywhere in the world. This is especially valuable for organizations with a distributed workforce or global presence.
Zero Trust Network Access (ZTNA): Entra Internet Access aligns with the Zero Trust model, ensuring that trust is never assumed. Users and devices are continuously authenticated and authorized, reducing the risk of unauthorized access and insider threats.
Conditional Access: Prevent stolen tokens from being replayed with the compliant network check in Conditional Access.
Application Segmentation: Entra Internet Access allows for the segmentation of Microsoft 365 traffic from other internet traffic. This segregation ensures that Microsoft 365 traffic is treated with the specific security and performance measures it requires.
Dynamic Access Management: Organizations can dynamically manage user privileges and entitlements, ensuring that users have the appropriate level of access to Microsoft 365 services and no more. This reduces the risk of data breaches due to overprivileged accounts.
Integrated Monitoring and Logging: Detailed monitoring and logging capabilities allow organizations to track and audit user activities, ensuring compliance with security policies and providing valuable insights for incident investigation and reporting.
Performance Optimization: The solution ensures that users get the best possible performance when accessing Microsoft 365 services. This is crucial for maintaining productivity and user satisfaction.
Data Exfiltration: Apply universal tenant restrictions to prevent data exfiltration to other tenants or personal accounts including anonymous access.
Third Party Solutions: Entra Internet Access can be deployed alongside other, third-party SSE solutions.
Licensing
Currently the preview requires Entra ID Plan 1 and to use the Microsoft 365 traffic forwarding profile, a Microsoft 365 E3 license is recommended. I am unsure why this recommendation exists, but my guess is that it will be a Microsoft 365 Apps for enterprise feature, I hope they don't exclude this from the Business Premium license though, here's hoping!
Deployment
Activation
First thing you will want to do is enable the feature within your tenant which you can do from the Entra admin portal and then underneath Global Secure Access (Preview)->Get started, from here just Activate the feature.
Session Management
To use features within Conditional Access and Identity Protection you must enable Adaptive Access from within the Session Management settings underneath Global Settings. When you turn this feature on Global Secure Access signalling enables client IP restoration which is then used by Conditional Access, Continuous Access Evaluation, Identity Protection, and Microsoft Entra ID sign-in logs. These signals provide network location information allowing you to create policies that restrict user access to specific apps based on their use of Global Secure Access via the GSA client or a remote network. You can if you want to enable Tenant Restrictions here at the same time although we will not be digging into that feature today. Remember to save the change.
Traffic Forwarding
For your chosen traffic to go via the Secure Service Edge the GSA client must know what traffic you want to send to the SSE, and this is where Traffic Profiles come into play. You can find these from the Global Secure Access dropdown and then Connect->Traffic forwarding.
The profiles you see here currently are for Microsoft 365 access (M365 traffic) and Private access (privately hosted applications, either on-premises or in multi-cloud environments), you can expect Internet access profiles to be available here once they go into public preview. For this blog we will just enable the M365 one.
Selecting the checkbox will require an additional prompt to confirm that by enabling this profile it can then be used to direct all global secure access client's traffic for this profile type.
Currently the profiles only cover Exchange Online, SharePoint Online and OneDrive for Business as well as some other common and Office online endpoints, you can expect more Microsoft 365 services to be added over time. Selecting the View icon on the policy allows you to see these in more detail and should you want to, you can specify whether to forward or bypass that traffic to the Secure Service Edge or bypass it.
Deploying the Global Secure Access client
Deploying the client using Intune is simple. Just download the client from the Entra portal underneath Global Secure Access (Preview) -> Devices -> Clients
Take note that the device must be Entra joined, or Hybrid joined to a tenant that has onboarded to Global Secure Access.
Using the GitHub - microsoft/Microsoft-Win32-Content-Prep-Tool: A tool to wrap Win32 App and then it can be uploaded to Intune go ahead and turn it into a Win32 app and upload it to Intune.
You can use the following install and uninstall commands.
Install command: GlobalSecureAccessClient.exe /quiet
Uninstall command: GlobalSecureAccessClient.exe /uninstall /quiet
Go ahead and add your own requirements - For the detection rules I have gone with the below manually configured File type detection.
Path: C:\Program Files\Global Secure Access Client\
File or folder: GlobalSecureAccessClient.exe
Detection method: File or folder exists
You may wish to use environment variable instead if more appropriate.
Then just go ahead and deploy as required to your devices.
Once installed you will see the icon in the task tray and will be prompted to sign in (the green tick indicates authenticated and connected).
Conditional Access
Once you have enabled these settings your next step will be to configure your Conditional Access policies to use the traffic policies or alternatively will allow you to require connecting to the secure network (the SSE) before you can access Microsoft 365 services as you will see a new Named Location has been automatically created.
If we hop over to our policies, we can start using this new functionality and to start with we will look at using the new named location and create a policy that blocks access to Exchange and SharePoint Online unless connected to the compliant network.
Here we have our policy with a descriptive name, targeting my test user Ellen Ripley and targeting the Exchange Online and SharePoint Online applications.
Here we are ensuring the policies applies to any location.
And here we want to exclude our newly created All compliant Network location (our Secure Service Edge).
And finally, we are blocking access in our grant controls.
To sum up this policy...
If Ellen Ripley attempts to access Exchange or SharePoint Online from any location except via the Secure Service Edge, then block access. By configuring the policy in this way, it ensures there is absolutely no access to those resources without first authenticating via the GSA client and connecting to the SSE network. Let's see how that looks on the client.
First let's try ping SharePoint. Here we can see we get an IP of 13.107.136.10.
Now let's sign into portal.office.com - Great, we can sign in no problem!
Now let's see what happens when I try navigating to SharePoint Online.
Bingo! We are unable to access SharePoint, which at this stage is what we expect. For good measure, lets attempt to access Outlook on the web also.
Surprise, surprise we get the same block page, great. But what about if we try to access Office online, like for example Word.
OK so we can access the Word online application, but what about accessing or attempting to create a new file which will automatically store it in OneDrive. OneDrive is part of SharePoint Online, so it is expected for there to be no access.
And just as we expected, Word online is unable to create the document as access to OneDrive is also blocked.
Now let's see what happens when we enable the GSA client and authenticate via the app. To do this we must resume the GSA client which we do by right clicking the GSA client icon in the task tray and then selecting resume. Keep in mind if you have not already authenticated in the GSA client then you will be prompted to do so, you can simulate this should you want by instead selecting Switch user which will require re-authentication.
Now let's try ping SharePoint Online again.
Here we can see we get a new IP, and this is the IP address associated with the Secure Service Edge.
Now let's attempt to access SharePoint and Outlook on the web again.
Bingo. Both are now available as is creating Word online documents or accessing documents in OneDrive.
Network traffic profiles in Conditional Access
In addition to using the All Compliant Network location we can also target the Global Secure Access traffic profiles that the policy applies to. By doing this we can enforce other requirements, such as MFA or MFA strengths and/or requiring a compliant or hybrid joined device or even acceptance of Terms of Use before access is provided.
For the below configuration to work, you must configure the Grant controls first as for some reason once you have selected the Global Secure Access target resource, the Terms of Use options are greyed out. I am unsure if this is intentional or not, but it works and is fine for the purposes of testing.
Once that is applied you can see we get an additional authentication prompt in the GSA client, requiring us to accept the Terms of Use.
You can find more info on these traffic profiles in Conditional Access here: How to apply Conditional Access policies to the Microsoft 365 traffic profile | Microsoft Learn
Conclusion
To summarise the key takeaways.
Cloud-based applications and data require modern security infrastructure.
Secure Service Edge (SSE) is a subset of Secure Access Service Edge (SASE).
Traditional VPNs connect users to network segments rather than specific applications which can lead to security risks and other issues.
Clients authenticate through Entra ID and Conditional Access.
Branch office solutions are available for efficient route advertising or use with other operating system.
GSA client requires Entra joined, or Hybrid joined devices.
Microsoft 365 applications and resources are isolated via Entra Internet Access.
Requires Entra ID Plan 1 and Microsoft 365 E3 minimum.
The blog post outlines the features and benefits of Microsoft's Global Secure Access solution, focusing on Entra Internet access to M365 apps. By implementing this solution, organizations can optimize connectivity, enhance security, and adapt to the evolving digital landscape.
Thank you for taking the time to read this article, I hope to add to this with other Global Secure Access related content in the future.
For more information on Microsoft's solution check here: What is Global Secure Access (preview)? | Microsoft Learn
Comments