Deep Dive on Microsoft Entra Internet Access

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone in this video I want to talk about the Microsoft entra Internet access solution I mentioned it in a previous video when I talked about the security service edge but it was in private preview at the time I couldn't show a l about it well now time of recording its public preview so I can finally talk about it so if I think about what is this solution actually doing well we have the internet and the internet is full of wonderful places we have all of these great wonderful things there to bring us joy and happiness and productivity but there's also another side to the internet there's a side to the internet where it's not there are these bad sad things decided to bring us great misery and sadness and trying and trick the users it's all gray and it's horrible and so ultimately our goal when we think about this solution is okay there's the internet what I want to do is as the user sitting at their machine I want to provide protection from that I want to provide protection on them clicking a link just looking at some website and it goes to a bad site maybe it's a fishing email with a link hidden in it maybe it's a QR code that is tricking them but I want to stop them going to these bad sites or maybe it's not even a bad site it's from a certain corporate machine a certain environment I don't want them leveraging or I need some control around it because hey we educate our users and ideally we would protect them in the first place if it's email we have Solutions in our email to never see those links those QR codes in the first place but nothing's perfect things do get through and so if we think well what is this actual solution what we're focusing on here is this entra internet access and what it's really providing me if I think about the all up is it's a secure web Gateway so if that is the internet what we're now going to have is the entra internet access and the goal would be I'm focused on yes I'm focused on the general internet so just general sites but it might also be those sites that are for example SAS applications but they're not Federated remember our key goal if possible is if we think well I have my entra tenant so we've got our entra ID in an Ideal World if it's a SAS app then I Federate it it's using our ENT tenant for its authentication it then becomes a known application to ENT I can then apply very very granular conditional access policies to it so this is my preference but maybe I I can't do that maybe it doesn't Federate maybe I didn't want to for some reason and so now I can think about well it's just general internet sites it's non-federated SAS and I want to provide protection for them so now that that path for the client would be well instead of the path going hey directly out to the internet well now now what's going to happen is that path is going to go to this Edge and then go through and at this Edge it's supposed to be a magnifying glass I can't really draw but the edge we can make decisions on do we allow it or do we block that traffic so this is what it's going to provide anything on the client doesn't have to be the web browser anything that wants to talk to the internet is actually going to go to the entra edge it will be in inspected based on rules we're going to create which will control if it's allowed or blocked so this is the whole point of the solution now I do want to stress I'm talking about the Microsoft entra Internet access there is a separate set of Technologies leveraged for Microsoft 365 traffic Microsoft 365 has its own capabilities and there are some extra special things built into entra around controlling that they can go into detail about hey stopping data exfiltration and a whole set of other things so I'm not talking about that I'm going to talk about just the basic entra internet access solution today okay so how do I actually get going with this solution as I talked about it's going to now send that traffic over here to that enter enter Edge and I can think of I'm going to create these rules that will allow me to Maybe group based on a category so there's going to be a lot of well-known categories built in there's going to be fully qualified domain names I can leverage and there's other things coming on the road map and what I want to do is really talk about these whole set of capabilities in a lot more detail so what's the step one step one is well I need the client to know hey internet traffic I want to send it to this entra Internet access Edge solution so we have to get the client so step one is to go ahead and install the client so if we jump over to the portal for a second now I'm using the entra portal so it's that entra microsoft.com and I'm going down to my Global secure access area and then from here I'm going to my connect and then I have my client download and it's going to show me the client now notice there are Android and iOS and other things are coming out today at time of recording the internet access does not work for the iOS the Android it's really focused on that Windows client so I would go ahead and download this client now once I've download to the client I go ahead and install that client and I install the client using all of the regular me I could install the client using Group Policy I could install it using in chune I could absolutely just manually install it obviously that's not scalable I'm going to install this GSA client and when I install the gsse client all I'll really see initially is just this little icon so I'll see it in the corner my GSA client it will be sitting there or happy okay great so the client is installed now what now one thing you will ask is well how does it update today it doesn't automatically update I would need to go and get the new version and deploy it with the updated in tune or the group policy that will change in the future so that whole update experience is there's a road map obviously I don't ever talk about future things but that whole experience will change very much and this client authenticates so this client will now go as part of my identity I choose who I want to authenticate it as so the client will now go to entra and it's hey I need to authenticate and just like everything else it's going to generate me the token my access token that it will send back because all of the interactions with that edge are always going to be authenticated you think zero trust and verify explicitly it's constantly going to be using this as part of that authentication to prove yes I am who I say I am and as we're going to see it's used for some other things as well but it has that authentication and if we just go and look super super quickly so let's just jump over for a second so this is a machine and let me just turn off my little logo for a second so you can actually see all the detail so down here in the bottom of the screen there's its icon that is the global secure access client now if I was to double click it it shows me some basic status of that client it's actually doing something weird it's not overlaying properly but I can see it's the M365 connected private connected Internet connected and the version and likewise if I let's close that I can select Advanced Diagnostics and also I guess while I was there if we right click we do see hey I could log out and log in as a different user we can pause resume restart collect logs for troubleshooting purposes then we have this Advanced Diagnostics and it's the Advanced Diagnostics that I've launched over here like on back on so I don't forget and we can see basic information so I can see details about the forwarding profile my client version and at this point I'm going to go into more detail about this but we have the health check so if you're ever experiencing a problem it's nice to go through the health check and it's showing all of the different steps that it has to go through checking hey the edges are reachable proxy everything is looking good on this particular box so at this point hey everything is looking good on my client okay perfect so how do I actually start leveraging the technology because that's just the base component is there on the OS so that now when I do a few other things instead of my internet traffic going directly here it's going to follow this path I don't want it going and talking directly to the Internet so the first real step of the configuration actually just give ourselves a lot of space to let's move all the way over here so we're doing a whole bunch of configuration right now in the entry side and then ultimately at the end you'll see hey it just all comes together for the client experience so the first thing I have to do is say well I want to enable that GSA client because the GSA client is also used for things like the Microsoft entry private access it replaces the Azure ad at proxy client and it's used for the internet access so it's this single client so I have to tell it which bits of functionality do I want want it to be enabled for and so I'm going to say hey of all the different features I'm going to say yep I want to use it for internet access so that's my step one I have to tell the client yes you are going to do internet access so if we go and look in our configuration because there all these different areas if we look at our traffic forwarding rule so I'm in that connect traffic forwarding I tell it which profiles I'm enabling so this is I've enabled the internet access profile and you can see it says hey it's all traffic except Microsoft 365 so this is that big first step to start the configuration and that is now on the client remember that GSA client if I go and look at the GSA client what that has been responsible for is I have forwarding profiles this tells it which traffic goes where and we can see well great there's those Microsoft 365 private access and internet access now this is in public preview so I'm just going to caveat what you're about to see but it tells hey look certain traffic bypass obviously it doesn't want to send traffic to its own Edge via the edge it would get stuck so it's like don't don't send it to the edge but everything else is going to Tunnel now it's got some entries in here I think for testing purposes fundamentally but this one is the most interesting to me good old Rex so this is the primary rule that is telling which traffic is tunneled so today we can see it is is DNS based again it's public preview my understanding is IP rules will come as well so I won't bypass it by doing a an NS lookup and then just typing in an IP today it's focused on that DNS name and I can see it and I can only assume someone in the UK does some testing and they really should be being obviously but you get the idea um it's now configured this forwarding profile that is telling it well which traffic should be sent to that edge and that's the important point now I cannot change that that is part of the configuration I do not set what I want to send to that edge that's just part of uh the core capability so that's telling it now hey the traffic I need to send to the tunnel it's establishing it's totally invisible to the client so it's that layer 7 htttp https you're going to go and redirect and I do want to really stress a point here this is not a browser extension this is everything in the network stack on that machine so it could be a program yes it could be stuff I'm looking at the browser but it is at the Machine level now anything internet based instead of going that way is going to go to our entra internet ACC access Edge so it's really important to understand that fact this is not just hey when I'm surfing the web on a browser it really is everything that I'm going to do okay perfect so now I have to start defining what are the things I want to allow or I want to block I need to go into those details and so the default is it's just allowing the traffic so I need to go in and create logical groupings and if I think about it there's going to be many different scenarios I'm going to have where I want the same group of sites so the first thing we do is we create web filtering policies so I'm going to start on this end and try and give myself as much space as possible so my step one well that I guess that was step one web filtering policies now these web filtering policies has come over here are really just focused on I'm creating those logical groupings of categories and or fully qualified domain names so I would think about okay well I'm going to create a new web filtering policy I'll call this one social and for each of these groups of web filtering policies I specify a certain action that I'm going to do so this one well for social this is block and then inside that I say hey well I'm including um category X category y I'm including a certain fully qualified domain name could have some World cards in there whatever I want then I'm going to do uh another policy I'll create another policy called uh work and maybe for the work these this is allow I'm specifying sites I want to allow so that may have a different category it's going to have its fully qualified domain names and you get the idea I kind of go on and on and then I would create another one just call this one group maybe this one is block and then all of its rules so I'm going and creating these logical groupings that I'm going to want to use later on so let's go and look at the portal so I go and look at my secure and I can see under here web content filtering policies so I select this now I've created some already you can see within them there's a certain number of rules so if I was to look at stop social and entertainment for example you can see my action is to block so I only can have one action could be allow or block and what I'm doing here is well it's web categories so I'm blocking social networking games and sports and then I'm also added one that selects gambling so I can select multiple categories in one rule let's just create a new one and just call it test oh if I can type the letters right call it test and again I select is it allow or block then in my policy rules I can add multiple rules so I'm going to add a rule we'll call this just again you would get this very logical useful names not what I'm doing but I can select web categories I think there's currently 76 web categories so hacking hate and intolerance illegal drugs illegal software violence image sharing Finance you would select the one so I could select multiple things in here I'm just randomly selecting them whatever that is Click add I could go and add some more rules so I could say category Y and again I want useful names really but I'll just select some other things I could also add in fully qualified domain names and I can use wild cards so I could say well star. saav tech.com that's never any good so I could put that in as well if I wanted to you just add so it's just I'm creating a really logical grouping that I'm going to want to use again I've already created these so I've got other ones that blocks YouTube now YouTube has youtube.com then there's studio and YouTube Works a little bit funny so you can see I added two fully qualified domain names I added star. youtube.com and youtube.com I've got another one that allows so I created one that allows specifically LinkedIn so anything linkedin.com I'm allowing but I'm just going through no Sav tech.net well blocks www.sa.net.edu have the wild cards I have all these different combinations but I'm going to end up with these logical groupings so I've got these four logical grouping some of them are allow some of them are block and I can see all of that detail right here so these are just units of logical grouping that I'm now going to be able to use elsewhere okay now I want to start thinking about let's combine those into a certain profile that I actually want to leverage and apply to different groups of users so great we've created the web filtering policy now I need to do is create those security profiles so now we'll go ahead and create our make sure I get myself enough space security profiles now once again they have a name so I'm going to add a security profile and again give it a useful name I'm just going to say profile one here I give it a priority so we have to track this a little bit and makeing more sense when I show it to you but the profile has a priority so this profile I'm going to say has a priority of 110 and then I just link these web filtering policies to it these were defined as their own objects I'm going to use them into a profile so I'm going to say well the work one I'm going to add that in and I give it a priority so this is its relative priority within this profile so this one has a priority of 100 and then I'm going to allow this one and that one give it a priority of 200 um now I'll create another one I'll create a profile two I'll give this one a priority of 200 and once again I'll I'll add some I'll actually add this one in to here as well I give that a priority of 100 um and also I'll add this one in actually I just got to leave that one as it is there's also a special priority so I'm going to give a create a profile just called General it could be all I'm going to give this one a priority of 65,000 and I'm going to add this one in and I give that priority of 100 doesn't matter this is special this one would apply to all internet traffic whether this profile is used as part of uh a conditional access policy which we're going to see in a second how we assign these or not if if I give this 6500 I can only have one because the priorities of each of these security profiles has to be unique which is going to make sense this one is general and applies to everything now the reason we have priorities within the profile we're linking these is what if they conflicted so for example this one allows let's say fully qualified domain named linkedin.com well this category here may be was social which blocked it so if I just applied them and they had equal weight what does it do with LinkedIn so by having a priority with in the profile well this is a higher priority so allowing LinkedIn comes first and even though LinkedIn is then blocked by social it's a lower priority the one that allows it so it would have the access and be allowed so that's why we have the priorities and it makes total sense we have groups of block and allow well how should that work then you can imagine scenarios will occur where as a user there's going to be multiple conditional access policies apply to me I may have multiple profiles applying to me well then what if the profiles conflicted that's why the profiles have a priority so again take this scenario social was blocked completely in this profile in this profile social war was blocked but it allowed LinkedIn well this profile has a higher priority than this profile which means hey LinkedIn is still going to work because the profile is higher than this one that's why there's those two sets within it it's just relative to each other the profiles is hey if there's a conflict between those so let's go and see that and I think it will make a lot more sense so we had the web content filtering policies great now we use them in a security profile so I could just go ahead and create one um test enabled so I enable it and I have to have a priority this has to be unique I cannot have the same priority as one I've used already so we can see here I've got priorities 110 200 and 6500 so if I try and create a profile if I select 110 if I actually went through I need test it won't ultimately let me I don't know when it does the check but it wouldn't let me actually create it so error profile with the same priority 110 already exists so it has to be unique which makes sense I would not start at one because what if something comes along in the future that you need so I like groups of like big gaps of 100s you have a a huge 65,000 to play with notice if I hover over the eye it's telling me a special one if you use 6500 applies to all traffic it does not need to be linked to a conditional access policy so that 6500 is a special one let's just say I'm going to say this is 500 I'm not going to use this one anyway and now I just go and Link the policies so I can use an existing policy I'll select it from the groups that I have created so I say hey block YouTube I remember I'm giving it a relative priority within the profile so maybe this one is 300 I could then add another one that may be um allow LinkedIn I mean obviously it's not conflicting but I'll give that 100 so I'm creating that relative priority within the profile so that's the whole point of these and so in my case if we look at what I did my highest priority let just expand all of these out my highest priority of 110 has three of those web filtering policies in it the highest priority is allow LinkedIn priority 100 the next is stop social which would block LinkedIn because it's that social category but a higher R within there allows it and then I'm blocking YouTube then I have another security profile that just stops the social but notice its priority of 200 is less than this one that is 110 so if they ever conflicted I'd still be able to get allow Linked In if they apply to the same user and then I've got this 6500 that will apply to everyone and we want to block that trash Sav tech.net no one should look at that ever so you can see how those things are really all coming together to give those protections so that that's the point of how really it just all comes together to give that solution so great now we've got profiles that actually include them and do the things we want to do fantastic I need to use them so the last step as applies to nearly everything when I ever think of entra conditional access so now I'm going to create conditional access policies so I'll create a conditional access one I apply I have a certain Target it could be a user I'll say it's applying to user group one as well and be very lazy and then what what is it targeting is it an application well it's targeting the global secure access and it's targeting internet and then because it's using GSA and internet I have to specify well which security profile so my profile I'll use this one now I can only have one this is not a I can specify mul profiles each conditional access can use one profile and remember we have the allow the action we're going to allow this is a very important point you might think oh well most of these are blocking I should set the conditional access to block no the web filtering policy takes care of the action The Edge should do to the traffic if I say block for remember internet access it's just going to block access to the internet completely like for the whole machine never to use block I wouldn't even really use things like uh require MFA because again it's at the Machine level those policies apply all up top level internet not to the sites within this policy so if I was to set this to require MFA as soon as the client tried to authenticate the first thing that tries to talk to the internet it would do MFA then so really my profile is just going to say allow action and then I could have another policy condition access 2 maybe it targets a different group group two once again it's GSA it's internet my profile be this one okay it's always one one to one and I'll do allow remember this one do not link you don't need to it applies to everything the 6500 is special it's always going to apply that's really the the the key point in all of this so let's show this as well so great I've got my security profiles now I would just go to my regular conditional access create a new policy Target whatever users and groups you would normally do but when I do Target resources I'm targeting Global secure access specifically I'm going to Target internet and then the only thing I now have to do is for session I have to check down here on the bottom use Global secure access let's get rid of my little icon again it's constantly in the way today and I select the profile so I would select which one remember I can only select one so maybe I would select how social entertainment profile stop so i' select that one and now that is configured right there and those are the steps that that's really all I have to do now what I was talking I probably enforce the policy to on now normally obviously Group Policy we always do report only first um for this for the testing I I'm going to set these to on to actually apply these to the checks my grant is just grant access once again if I select block and maybe at the end I'll show it just to frustrate myself it just blocks internet it is not blocking the sites you don't want that you need to Grant the access the web filtering policies linked from the security profile will take care of allowing or denying the sites this action right here is about internet access so again if I was to select MFA even it's just going to make me prompt for MFA at the start of the first thing that talks to the Internet it's not about the site specifically today that may change in the future but for now you want to just grant access so for me I have created a policy already honestly it's very slow this morning it's early on a Sunday waking up all right so I created internet access for John it's just me it's internet traffic and all I've done is selected that social and entertainment profile now just to remind us the social and entertainment profile was allowing LinkedIn stopping Social stopping YouTube and then remember we have that default for all that would stop Sav tech.net so those are the rules so I'm blocking social blocking entertainment I'm blocking gambling we can see all of those in here my rules social games Sports gambling are all blocked as part of those rules so those things should all be impacting me when I now try to do the things so great I have created now those conditional access policies so how does this all come together this is I guess the cool part so remember what I said before the client authenticates and it gets this token as part of that token each of these has uh an ID has a security profile identifier so what's now going to happen is when this does this authentication and when it goes and gets that token that is now updated the token gets the security profiles IDs added to it that are being applied so that profile one this token was actually happening here is what color should I use use this this profile that one is getting added to my token and obviously there were multiple conditional access policies that applied each with their own then there could be a list of these added to my token so now this client it's token has the security profile IDs as entries in its token and that's so it's got these claims for the security profile ID that's that's the huge part here so now what's actually happening when this client gets redirected to that Enterprise Edge as part of that that token gets sent along with it so now that entra internet access again I think this is really Edge when I talked about this magnifying glass allowing or denying what it's looking at are the IDS cuz remember it's got this like id1 it's looking at okay well what are the rules of id1 because they're in that token that controls the traffic that's going to control is it allowed or not and that's really the the key point of how this is working follow the structure through we created web filtering policies which are logic IAL groupings of categories or fully qualified domain names that we may want to use maybe multiple times different places we put those into security profiles they have their own priority within the within it in case they conflict and what should win then the profiles themselves have a unique priority because what if I get multiple profiles which one should win and then ultimately we apply them by linking a profile to a conditional access policy just like we always do and then that gets popular at as a claim in the token and then that constantly verifying now because it is an access token it's good for an hour so if I was to create a new conditional access policy or I Chang the conditional access policy to point to a different profile it could take up to an hour to be seen because the access token is good for an hour now if I was to change it's not good if I was to change what was linked in the profile that just requires propagation through the global entra maybe that's 5 minutes so I can change these things but if I actually create a new conditional access or I changed the profile well remember it's the profile that gets linked in as a claim in my token I have to let that expire so that could be up to an hour if I create a new conditional access or I changed the profile it links to so that's that that's the timing involved in that whole process so then does it work uh so let's try it so if we jump over and we hope it does work this will be a terrible terrible demo so if I go to my machine so now let let's think about what we did so I'll open up the browser so I blocked YouTube so youtube.com can't reach it nope and just to prove internet is working if I go to Sav tech.com that works fine what about Studio remember we did the Wild Card NOP can't reach it what about Twitter remember we had the social twitter.com nope can't reach it what about LinkedIn remember we had that allow R which was a higher priority LinkedIn we can get to awesome what about uh a gambling site now I actually have to look this up because I don't know a lot of gambling sites so if I paste in a certain gambling site can't get to it now you will notice this one said denied whereas the others it couldn't get to this was because this was just a HTTP I not secure so it can return a different response if it's https it's just like hey you can't get to it and the same would apply if I do www.avc.edu rule that's just HTTP it can just say denied if I change this to https then we'll see H can't reach the page so you will today see a different response on if it is https or htttp because it impacts what it's allowed to do but you I mean that that's it you see the client experience it's totally seamless it just works now what about if things uh are not quite right if it's not working maybe as you would expect so this agent remember I P up the advanced host name acquisition I could say St start collecting and what this is going to do it's going to focus on the idea of well what are the host names what's the DNS that's being acquired when I'm trying to do things so if I did the S tech.net again and also let's try uh Twitter again and and then we'll do one that works sa tech.com okay I could do stop so we can see hey yeah look I can see the things it was trying to do so I can get an idea of the actual um responses and if it was truly going through the the DNS I can also look at the traffic so we'll start that as well just go back to this page again let's try the twitter.com nope let's try the linkedin.com yep and now we see a whole bunch of connections we saw it hey it's going to the edge so I can get all of that detail of things that it's doing in the background so I can see everything it's trying to do if it's closed if it's active so it's obviously active over here so it's just a great way to see everything that is happening on the machine so the this is super useful if things don't work as you're expecting now the other thing I want I guess I did say okay so while we're over here this is going to break my environment but so you don't break your own if I go to my policy internet access for John I'll change it to block and again we have to give it a few minutes to propagate out through the intern while we're doing that the other thing we have available to us in the global secure access is we have monitor we have audit logs but I'm going to focus on these traffic logs so if I look at traffic logs I can see the traffic across the different types so internet private access M365 so I'm going to focus on my internet access from here I I can see a whole bunch of communications to different things but I could add a filter where the action is block and I can see all of that detail yep the sports the gambling site Facebook got blocked Sav tech.net got blocked YouTube got blocked so it's got this really nice set of capabilities that I can go back and see all of the detail and there's a little bit of a delay so it's not going to show up out here instantly in my playing around I've seen it take maybe 15 minutes to show up again it's public preview at time recording that could absolutely change but there there is a little bit of a delay but then I can go and see all of that detail so let's see I don't know if it's been long enough let's see if I can break my machine so what I would now do I say log in as a different user so it's signing me out remember I applied that block policy which remember is not just the sites it's everything now internet traffic on the machine so when it re authenticates it's now going to go and get a new access token and when I get the access token that's when it's going to tell me so I have to sign in again cuz I signed out so I have strong wols enabled I can't get access so your signning was successful but now I can't do anything I'm I'm basically blocked out of Internet so I can't even finish the sign in anymore and it's going to get stuck because I've essentially wiped out internet on my machine so I would now hastily uh come back to here change that conditional access to one that isn't junk and I would see the same if I did MFA it would require it for basically that client is this the first thing that will get impacted when it gets the new access token so it it wouldn't be that useful I really think of the conditional access its use and its power is to apply the policies right it's to apply the security profiles I'm defining I'm not using these to try and then do additional MFA or block the block is in the web filtering policy see so this should just be allow that really is a key Point make sure I'm doing allow in these anything else is not that useful obviously I can use it for the granularity of which sites apply to which groups maybe I get different rules based on the device as well I might even have different sites based on risk I'm detecting all of that applies but just the action it's no good trying to do block or even MFA is not particularly useful here because it's applying to the all up your connection to the internet not the granular rules in the claims so if I do block I just block it getting into the internet which is a sad day for this poor person that have a big frowny face that's it so I hope this was useful I hope it really makes it clear what's going on I showed a lot of things I maybe talked a lot about it but it's actually pretty logical and simple hey create the web filtering policies which are the the categories and the fully qualified domain names that make up a logical grouping of sites I can then use n number of those in a security profile which is a certain profile that I'm going to want to apply to populations based on certain criteria again those had a allow block they have priorities for when there's going to be those conflicts which should win out and then hey I'm going to take those profiles and apply them to those groups of the population with all the normal conditional access targeting groups client device location risk all of those apply it's just we make sure the action is allow it's the policy that takes care of if the site allowed or blocked that's the key point and then it it would just take effect and you saw how simple it was I'm protecting the user doesn't matter where the user is it could be anywhere it's protecting them from those bad things my policy hey can let it through or it can block it um and that's a solution I have no pricing information at this time that will get released at GA so there's no comment on that the only thing I know is the internet access for M365 that's just part of I think it's the E3 license but again you should validate that so that was it as always I hope this was useful and I hope I can now log into my client now said back to allow take care
Info
Channel: John Savill's Technical Training
Views: 24,599
Rating: undefined out of 5
Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, azure ad, microsoft entra, entra, internet access, secure web gateway, security service edge
Id: 844s2bpA1aU
Channel Id: undefined
Length: 48min 45sec (2925 seconds)
Published: Mon Dec 18 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.