As well as some name changes, at the Microsoft Entra event on Tuesday (11 July 2023), Microsoft announced Microsoft Entra Internet Access and Microsoft Entra Private Access, which combined are termed as Global Secure Access .
Within Microsoft Entra, with these new Global Secure Access services, you can now create unified conditional access controls that bridge both identity and network controls allowing you to control access for any user, to any application or resource existing both in cloud and on-prem.
Let’s have a look at the two new components that form Global Secure Access services:
Microsoft Entra Internet Access
Microsoft Entra Internet Access is a Secure Web Gateway (SWG) that offers secure access for internet, SaaS, and M365 applications and resources whilst protecting your users and organisation from internet threats.
It isolates the traffic for Microsoft 365 applications and resources by connecting using either the Global Secure Access Client or through a remote network, such as in a branch office location.
One prerequisite that is worth pointing out is that devices must be either Azure AD joined or hybrid Azure AD joined. Azure AD registered devices aren’t supported.
The Global Secure Access Client can be downloaded from the Microsoft Entra admin center and organisations use a MDM platform such as Microsoft Intune to deploy.
Alternatively, remote networks can be defined that allow users to connect to Microsoft 365 services and other services without the Global Secure Access client, assuming of course that any additional Conditional Access policies are met.
It can simplify traditional network security to protect your organisations users, apps, and resources with advanced capabilities such as universal access controls, universal tenant restriction, token protection, web content filtering, cloud firewall, threat protection, and Transport Layer Security (TLS) inspection.
Microsoft Entra Private Access
Microsoft Entra Private Access offers your users secure access to your private applications and resources with an identity-centric Zero Trust Network Access (ZTNA) service.
Entra Private Access can be seen as an update to Azure AD Application Proxy. Application Proxy only worked with web `based applications whereas Entra private access works with SSH, RDP, SMB and other TCP/UDP-based applications allowing additional security such as MFA, compliance check and identity governance to application with the need for updating the application itself.
Microsoft’s Security Service Edge solution
Combined along with Microsoft Defender for Cloud Apps, Microsoft’s CASB, and built upon the core principles of Zero Trust, it verifies every user, forces least privilege, and assumes breach and forms part of Microsoft’s SASE framework.
The solution integrating with the rest of Microsoft’s security portfolio as well as work with the principals of being an open ecosystem it is designed to work in harmony and to supplement your existing network and security solutions.
Internet Access and Private Access share the same agent, which is compatible with multiple platforms and operating systems and is designed from the ground up and provide and consistent connectivity experience across devices and networks
References
https://www.microsoft.com/en-us/security/blog/2023/07/11/microsoft-entra-expands-into-security-service-edge-and-azure-ad-becomes-microsoft-entra-id/
https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-expands-into-security-service-edge-with-two-new/ba-p/3847829
great post
Any thought on pre-authentication ???
when I hit xyz.com on browser, the app-proxy-service was completing the pre-auth.
I was NOT required to create any CA-policy where target-resource=xyz.com
I can of course create CA-policy if I want to do more secondary checks
How about pre-auth during GSA-private access ??