Deep Dive on Microsoft Entra Private Access

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone in this video I want to talk about the Microsoft entra private access capability now we're used to the idea of thinking of identity as the perimeter to control access to our applications I've done a lot of videos in the past about controlling everything with entra and so I can think I'm going to put here at the center I have my ENT tenant and the key Point here is that there's all these different applications that I can Federate I trust entra for the authentication so sure there's things like Microsoft 365 there's Azure there's Dynamics there's thirdparty SAS applications there's a huge gallery of applications available in entra that I can go and add but if it speaks Cloud if it speaks oh or for open ID connect or samel chances are I can go and add it and leverage entra as that authentication that authorization to control all of that access now if I have applications that maybe don't speak Cloud uh they're not available on the internet well then we have the option that I can do an on premises I can think for example my on premises Network well in my on- premises Network I'll draw this really big so I've got some web application and what we would do is we could use entra app proxy so app proxy has an agent or a set of agents this establishes a connection this way and so this is entra at proxy and then once again I can make that available via entra I can do things like pre-authentication I can apply conditional access and we'll get back to that but I can get that seamless access and authentication now for those web and that's the key Point web-based applications I can also do things around the internet so then we have these other sites that maybe they don't inter great reventure of the authentication so we just have other internet things and I did a video a couple of weeks ago about the idea that well there's also entra internet access and this enables me to create basically security profiles that say Hey yes I can access these sites I have to apply conditional access before I can get to them but I can control all of those those different types of access and the key point for all of these things and it's really I think of it as the superow when I I always think a Ventra is conditional access so around anything I'm doing conditional access is that Shield it's that nice protective barrier that if I want to get a token to be able to talk to anything I have to pass the policies I've applied to those V specific sets of conditions particular apps particular Health particular risk um particular custom attributes all of those things I can look at and make requirements for different policies and then apply controls like strong authentication be hybrid join the device needs to be healthy per InTune or Defender so all of these different things are going via conditional access and I really do think of that as just a key point to everything we want to do But realize and there are other things so if we talk about this idea of okay my on premise is well there are other types of applications I have in here there are applications that are non-web so I have non web applications and I'm now thinking of anything that is TCP or UDP based now traditionally the way we would solve this is the organization would have a DMZ so this demilitarized zone Network and in there I'd put different Services I would put in services like VPN so I get these virtual private Network these tunnels and what the VPN does remember let's give ourselves a bit of space if I think of what I've got my machine so my machine is over here and with a VPN what's happening is it establishes a tunnel so I get this tunnel established to the VPN service which then obviously gives me a connection into that Network so I have this tunnel and the challenge with this approach is that once I've done whatever check it had he log in orend indicate I've now just really got just free range access to everything in that Network it's a network level access solution um there's also things like I might have internet proxies so hey things wanting to talk to the network maybe making some things available to the internet I'll have firewalls but I have a bunch of services that I'll put and have to manage in this network so all of this is infrastructure and if I think of this Cloud first way I think of things like zero trust I don't like this um there's a number of tenants to zero trust which I'll talk more about but you always kind of want to assume breach you want to verify explicitly I want least possible access to things which is not a tunnel directly into the network if one thing was compromised I now have free reign we've seen some of these major security attacks actually go through some compromised device and then it's got free range so I don't want to do this I don't like just this open Tunnel I really want to try and move away from that and so great um these things we don't want we want to move all of these Services we want to move it outside to follow zero trust principles because I do want to verify explicitly every access to some specific thing I want to validate I maybe have different requirements to be able to access that I want to have the least possible access that's just enough to do what I need to do within that particular context of my security and again I want to assume breach I want to have very detailed Telemetry to see everything that's happening and look at things like Risk before I grant any kind of access and so this is where as you would expect we start getting into this idea of this new set of services so what we're looking at is this um secure access service edge so I'm just going to write oh keep doing my pen wrong today uh my secure service edge and I'm going to just draw this as a big bucket um going around here so it's this Edge set of services and the whole point of what this is going to do is it provides a number of different things now again I I said I did a video a few weeks ago where I talked about the internet access side of that that's a secure web Gateway an internet proxy that's making sure I'm only visiting the sites that hey are safe so I'm protecting the users from themselves they don't accidentally click some bad link I can put controls um anti- malware intrusion detection intelligence all around there there's Cloud access security Brokers to enforce policies and longer term there's things like Branch connectivity but I want to focus on the idea of zero trust network access so that idea of that private access for these non-web applications but hey I'm not just having this very broad tunnel of VPN I want to focus on validating the access every time anytime I'm trying to access something I want to understand the posture from a security perspective of the user and their device and it should work no matter where they are and then that's beneficial hey the internet those protections no matter where they are but also no matter where they are they should be able to access these services and I want it done in such a way that I'm not just part of my internal Network I want to apply those zero trust principles and so that's exactly what this solution is doing um this secure Services Edge now remember I still want it to be highly performant and if I think from a Microsoft perspective I think they have something like over 170 Edge sites so potential points where eyes a client can connect to and there's like 70 Azure regions over two paby bits per second of capacity so I'm going to be able to connect to something close to me and there's massive amounts of network bandwidth to support what I'm trying to do and again the key Point here is every single thing I'm doing I'm still going to apply this conditional access again that's the superp power when I think of entra so how do we get going with this so the first point is obviously well this client can be anywhere I have to get something on the client to know that it needs to start integrating with these Services what it needs to send to this Edge service so what we have is we install This Global secure access client now what this does is it connects to the end point on this Edge so I can think about hey it's making this connection to the edge and then as we'll see everything it actually wants to go and talk to it still has to go and flow through entra for that authentication which means to go and get the authentication it then has to flow through the conditional access to go and get whatever tokens it needs so it can go and carry on around its way so I'm still applying additional access for every single thing I'm doing and as I mentioned in the internet access video it's not like it's a different client this one Global secure access client is used for both the entra internet access and it's going to be used for this entra private access I'm using the same entra portal to manage it it's the same conditional access that I'm used to doing there's not a whole set of new learning to do it's just from the client's perspective it does establish different um connections I could think of it as these grpc http2 tunnels to the entra edge uh one for the internet access workloads one for the private access one for the Microsoft 365 and the key Point here is it is establishing this to the entra edge it is not establishing it over here to this in fact I'm going to give myself a bit more space and we're just going to get rid of this now so we don't want want to do this we don't want this nasty tunnel idea we want to get rid of that and never want just this open connection to those networks so we're going to get rid of those things so it is only ever talking to this Edge and it has to go through all of the checks to make sure well should I be trying to get to this service over here am I passing the conditional access policies now this installs a network filter Drive in the operating system so all packets go through that stack and then if it matches the pattern of what the global secure access client cares about then it gets sent here so we can go and get processed by The Edge now it is a new client I could deploy it using any standard Enterprise mobile device management solution or group policy um you it doesn't matter it's just a package I am installing it is today a standalone installation I think as this G G and then goes further I think the way it updates and deploys and will likely change it become more integrated there are other operating systems and platforms like IOS and Android and Mac that have all being worked on to be able to leverage this so broad platforms and again it doesn't matter if this is at home in an office in a Starbucks it's just going to work so let's have a quick look at this client so if we jump over to my machine here we go so I have installed the client already and what I'm going to quickly do let's just remove my little logo if I look in the corner you can see I've got this little icon this is the global secure access icon that shows me its datus now if I right click on it you'll notice I do get some options I could change who it is logged in as because obviously I'm authenticating the client because then that's the user it is running as so that's where hey if I have conditional access policies targeting particular users or groups users are in I can change that I can do things like pause resume restart collect logs now just to note this is in preview at time of recording once again when it gas there will be abilities to control which of these are exposed to end users for example if I'm thinking of Internet protection maybe I don't want them to be a to pause it and so there will be restrictions on these but also I have this Advanced Diagnostics option so if I fire up the Advanced Diagnostics this is a really nice I'm going to leave this up and running so we're going to use this make it a bit wider but it gives us basic information I can see my client ver version down here which may be useful if I'm checking it has a health check so this is really nice I can go in through and see all the different things that it's leveraging um if there's any problems so I would go and check this if I'm seeing something strange going on but I can see things like hey yeah look the tunneling has succeeded do I have my token magic IP these are the entra edge but I can go and see all the different things it's doing I can see my forwarding profiles I can see when it was updated so this is what it goes and fetches from that entra edge and then I can see the different rules so I can see there's Microsoft 365 rules there's internet access rules and there's private access rules which again we're going to come back to and there there's host name acquisition to look at things around hey the name resolutions it's trying to do for different possible targets and I would have to start collecting if I want to view that data so this is all about the DNS but then I can actually view the traffic and this is what we're going to actually look at later on because this will help us show some of the Fantastic things it's doing so these are all the layer for packet flows so the client is up and running and we are good to go so now I need to actually start telling it which traffic and what I want to make available so we're going to focus on this private access so I have things over here I have things over here that I want to make available now when I think about this obviously it's a private Network so how does this entra Edge go and communicate to it well just like the old app proxy which has its agent now we have this concept of we have these connectors for entra so I deploy connectors and the reality is these connectors will actually replace the AC proxy agents so this connector supports both the entra app proxy web services and it supports the non-web services so I'm going to deploy these connectors so I've got two of them deployed in my private Network and we can see these so if we go and take a look at our environment so I can go down to I'm looking at the global secure access environment of the machine and if I see I've got connect and then connectors and we can see I've got two connectors in my default group so the whole point of this is well yes I can add multiple connectors and I would want to do that very likely when I think about well I want that ability to have resiliency I want to be able to handle greater load than just one agent in a particular OS instant that's all this is the agent is just saying I install into a Windows Server operating system that lives in that Network so if I think think about this environment over here these connectors have to be able to get to the Target so I'm installing multiple connectors now I might want to create different groups of connectors because well hey there's just a default group that I'll use for regular targets but maybe I've got some really high priority targets that I want to prioritize I want to make sure they don't conflict with other traffic going to other servic they want to make sure they have some dedicated connectors to process their traffic so I might create a high priority group with their own sets of connectors just for these particular applications so I can create these different groups I create the connectors but then as you would expect these connectors are then establishing that connection so it's always out this way to the entra edge so the these are this entra private access so these connectors have the network path to be able to talk to the services I want to be able to make available so I need to make sure if there were restrictions within the network this does have the ability to go and talk to those targets otherwise obviously it's not going to work now for web apps today I would still carry on using App proxy again this connector supports both app proxy and the entry private access again I think over time that will probably converge but the key Point here now is that the enter private access works with anything that is TCP or UDP so RDP SSH SNB FTP printers your specialized UDP streaming Based Services it doesn't care it's just going going to work and then to use it remember that Global secure access client supports different things and so if it supports different things I need to say which ones I want to enable so if I jump back over to here I look at my traffic forwarding and I just make sure I have checked the box for private access so I do have that enabled it even gives you a summary of what you have published and any applicable conditional access policy so I have got that turned on fantastic so once we've done that remember the key Point here is that I want that granularity this is not just a broad okay yes just connect to everything the connector can see I'm going to have different levels of sensitivity in my applications I want to only allow particular ports to particular applications I might have different data classifications that require different controls so I want to go and add explicitly specific apps I want to make available that I could then remember have specific conditional access policies for or maybe I've got different um categories of apps that need a common set of conditional access I'm going to Define these segments that are IP addresses that are fully qualified domain names is it TCP and or UDP the ports that I want to go and make available and so that is our next step to actually go and add in we go in another color um I'm going to go and add in in the entry private access the application and I'm defining what is that application in terms of hey those IP address ranges those fully qualified domain names so now if we jump back over to the portal let's go and look at that so I'm under applications and I'm going to Define an Enterprise application now I've already done one for RDP to my domain controller again very specific I'm not just saying hey talk to the domain controller we can see I say specifically what I want so I said specifically I'm making it available via its IP address or its fully qualified domain name now I have enabled notice TCP and UDP UDP is actually more efficient and so RDP uses RDP as a sorry UDP as a side car so it it has TCP for an initial connection but then it can do the bulk of the data transfer via UDP so RDP is actually quite a nice demo because I can show TCP and UDP in action but I'm very specific and then obviously I told it well which users are allowed to access this but if I was going to create a new app I give it a name I tell it which of the connector groups is going to use I want to enable access with the global secure access client and then I add my segments now once again my segments can be an IP address so a sing single IP a fully qualified domain name a range of IP addresses inside a format or an IP range where I can just type in the start and end so if I did that start to end you can just see types it in I have to put in the ports and then I specify hey is it TCP and or UDP so I have complete control over those now a really really important point is when I'm defining these things what I want to ensure is I don't have overlap so you might be used to traditional um IP routing where I could have a broader route with maybe a sl24 and then I could do a more specific one with a sl26 and the sl26 would take presidence I do not do that here I do not want overlap between the different Enterprise apps that I'm defining it will cause problems so make sure they are super super super specific so I'm never going to overlap those things and the key point is what you saw me doing there I'm being very very granular so I'm defining that particular application that I want to be able to make available so I would go and repeat this for many many applications but once I've done this once I've defined this app well then it's just an Enterprise application to entra so if I then went up and looked to my applications and my Enterprise apps and I searched for that RDP there it is it's an Enterprise application so what that now means if I look at conditional access my policies I created a conditional access policy targeting that application so my target resource was that quick access application and I'm going to say look I want it to only be a low user risk the sign in Risk needs to be low or no risk and I want it to do a particular strength authentication I have my own custom authentication strength that requires the authenticator app to be leveraged so I've gone and applied a conditional access policy for this so you can see I've gone through a whole set of steps now now so I defined the application and then once I defined the application well now what will happen is this application is now known within here remember what else did I do I created a conditional access policy so I added a conditional access policy this app was added as an app in my ENT tenant so my conditional access policy actually targets that particular application and my GSA client has now been informed that hey this app is available to you and it's these IP addresses these fully qualified domain names whatever those configurations were for that particular application and I'll see that so if I now jump back over to this if I went and looked at that forwarding profile I talked about and this time I'll look at my private access rules we can see exactly this remember I enabled it for TCP and UDP well sure enough there's the IP address TCP and UDP and the port and the fully qualified domain name all available so it now knows hey if you see this you need to go and set send this to me so that's now just part of it and I guess the best thing to do at this point is can we see this in action so what I want to start doing let's actually start collecting and let's open up mstsc so I'm using the fully qualified domain name I could just as easily use the IP address as well I'll hit connect now it's making me authenticate because my default authentication wasn't strong so it's making me do authenticator app so I'm typing that in I've passed that through so now I've passed through the conditional access part now it's asking me for the actual off to get into the RDP so now it's going through and it's just going through that connection so you saw hey I'm going to that particular machine and now it's going and actually authenticating to that box all of that pass through this the first I'm actually connecting to this box today but while that's finishing off the connection so there we go it's popping up oh I could just connect again but you saw that let's do it now interesting point when I connect the second time it's not making me do the strong authentication again the reason for that is because my token now already has that strong Authentication so I'm good to go so there just I probably should have authenticated that box already today but there I'm connected and if we go and look at our traffic what we can see let just scroll down so what I'm looking for is my 3389 so I can see a whole bunch of traffic related to here and notice I can see both UDP and there's different ones for the TCP as well so let me change order by the time make it a bit easier for me to see and what I'm looking for is my private access because it opened that website it's hidden most of the stuff I cared about but here we go all right so I'm looking here and we can see it we can see it's at 3389 traffic and I can see it's both UDP and TCP and we can see it's active it's using both of those and if I scroll over I can even see the amount of traffic being sent and the key Point here is most of it is the UDP like the bulk of the traffic this line is actually that UDP line so right here it's showing me hey look UDP is being leveraged for that so I can see all of that data being um performed and hey I can go and access that service so that's really one of the the huge points of all of this is that use of hey it's not just TCP it's UDP as well and realize in that flow what we were seeing is this there is no Direct communic communication now one of the things that can happen there is a local breakout if I was actually sitting on this network one of the things it can do is it will still go and check the authentication still apply conditional access but then break out for the ongoing packets if I was sitting on this network but it still enforces the requirements of the conditional access but the flow is always this I'm never bypassing this conditional access so I had to pass those conditions my user risk my session risk I had to do the strong authentication and then once I've done that once as we saw the second time I connected it didn't make me um prompt and go through that again I could also monitor in the portal I can go and see the traffic and it would show me there as well but I would go through and repeat this process for every single unique application unique segment and I would just Define those through they would all be ENT apps they could all have their own conditional access policies so that's a a key thing that I want to do as part of this but I'm getting started maybe and I had this VPN thing before and there's a huge number of apps and I'm like look sure for the more high priority ones I'm fine I'll go and add all these apps but you know what I I also just need some more generic basic access maybe it's to SSH or RDP or access some file shares or printers that's just general classification stuff and I need to kind of make that available a quick bit quicker so I can also add this idea of a quick access configuration now I can only have one of them so I would add multiple apps but I can also add a quick access which again what are it particular segments and once again this quick access would be an application that will show up as an Enterprise app which means once again I could add a conditional access policy to Target quick access and those segments I defined would also get added and told to the GSA client so if we go and look at my environment I did exactly this so here in the portal we go back over to and I guess while I'm here the monitoring we do have the traffic logs I could look at private access and I can look at all the different connections the amount of traffic um the connectivity so I have great insight into what it's doing but back to my applications I have this quick access option now you give it a name so I called it quick access you tell it which connector group to use and all I've enabled in mine was TCP UDP 3389 for IP addresses 0 to 9 now remember my Enterprise app was1 remember we never overlap which is why I stopped at 10 and then I also enabled 445 TCP which is SMB so I defined a quick access and once again again I could apply conditional access to it but it just shows up as an Enterprise app if I search for quick there's quick access I don't have a conditional access policy applied to it but there's absolutely nothing stopping me I could absolutely go into this I could create a new policy I could Target a particular app and I could just typeing quick and sure enough there's quick access so I could completely define that so the point now is I've enabled this other set of segments in my case IP addresses for particular sets of ports again I've still not just done everything I've still been more um broad but it's just hey this is maybe what I would have had available potentially in the past with some of my more basic kind of VPN scenario and we see that in the forwarding profile so here my forwarding profile has those ranges the TCP UDP for RDP and it has my SMB so I can see those all got sent down to my client so it knows hey look if you try and access anything in this range do it and so once again let's start the collecting again and if I was to just do um 10.0 do uh what is it 1.5 oh we go SL data that's just an SMB share and it opened up so there's a file and there's my dog zero sniffs so that's just showing that how just a basic SMB working and once again somewhere in these logs I would C and it does show me the type of traffic in the file column it shows me the private access and there's my 445 so we can see look this is actually me looking at the SMB share so I can see all of that data but that just worked it made it very easy to leverage and I can see that in action so that's that ability well do you know what I've got this more broad set of networking I'm not quite ready to have every app up and running maybe over time I'll get a bit more specific on those things but hey that quick access gives me the ability to make things available while I'm getting everything else figured out fantastic what about though um we saw fully qualified domain names we saw IP addresses now as a a human being I might be very used to DNS I might be very used to just typing in single label I just type in a bit of a name and normally on our clients we have this search list of DNS suffixes that it knows to add to the end to try and see if we can resolve if I just type in a single label name well how do we handle that cuz people are used to DNS names and now remember the whole point is those fully qualified domain names that I would put here this CLI does not have to be able to resolve them only the connector has to be able to talk to the DNS service to be able to resolve them this just tells the client hey if you see this fully qualified domain name send it this way and it will deal with it for you you don't have to be able to resolve that fully qualified domain name only the connector has to be able to resolve with the fully qualified domain name but how does the user just type maybe some basic single label names or maybe even the fully qualified name but think of that quick access configuration I didn't put every single fully qualified domain name how am I handling this so if we jump back over what would happen so if I go so just a Powershell here actually let's just um we can start collecting just for a bit of fun just really got to do anything so if I try to resolve there we go it's helping me out here so let's just try a single label name resolve now it resolved it and it did the correct IP that is that's that 10.0.1 do5 that has that file share I connected to now the name is bizarre it's this very very strange name it's added this huge guid and then Global secure access. local now that huge guid the 6 FDD just remember 6 FDD well 6 FDD if we went back to the portal for a second if we were to look at our Enterprise applications and again we looked at quick access six FDD is its application ID so it's created a DNS suffix which is the application ID of quick access and then it's added to that the global secure access. local so it's doing something weird but it worked right it resolved to that IP address so what that would mean is I could just do instead of I could just do the name and it's got it down here because I've obviously tested it earlier if I just do the name SL dat it's still now it's obviously going to go over and do that DNS lookup but it will still give me access to that share and there we go so I'm accessing it I could also resolve the DNS name the fully qualified name now this time obviously the name is correct and it's still resolves to the same IP address so that means as the user I could also put in the fully qualified name so if I did dot Sav Tech net well that opens up as well so DNS is actually working for my client and if I was to actually stop looking we'll see sort of the 53 so remember 53 is DNS so we can see it's actually talking to this Zone this DNS server it's what I'm talking to to do these various resolutions that I want so there's also DNS server which is the app ID of my quick access so some really interesting things are happening now remember my client has zero knowledge of Sav tech.net and especially zero knowledge of that strange quick access URL that I had there so how exactly is this working what is being configured on the client to make those things actually happen now remember when we think of DNS on my private Network I have DNS servers so in this network is absolutely DNS Services which my connector has been configured to use so my connectors can talk and query those DNS servers for resolution so when I think of that Sav tech.net in my example Sav tech.net as a own exists on those DNS servers so that's why that is able to function but my client has zero clue about savel tech.net so how are all these things working so this is part of that quick access configuration so if we jump back over again if I go back to my quick access you probably noticed there's also in addition to the app segments there was this private DNS thing and all I do here is well one I'm telling it to enable the private DNS and then I can add my own safix is I'm just entering the name that's all I'm doing I'm just telling it or Sav tech.net is also a Zone that's used in my private Network so I've turned on private DNS names and then told it which suffixes exist in my environment so as part of my configuration now what we've done is in this qu access I've also said hey yes I want private DNS yes please and then I've added my specific suffixes obviously that once again gets sent up and now it's doing a whole bunch of things on this client now if I think of this client and its operating system it has configurations so I can think that I have my DNS service running on this machine now for Windows if I want to modify the behavior of DNS we have the concept of a name resolution policy we have a name resolution policy table if you've ever played with DNS Set uh you would have done configuration say hey this Zone needs to be crypted etc etc but what it's done now is as part of this name resolution policy table it's added well that quick access ID zone so it's that Global secure access I know it was Lo local and it's added that suffix I added to it and what it's telling it is with this name resolution policy configuration these zones use a special fully qualified domain name that ID and these are split DNS so these will get sent to the global secure access client and on my DNS there's a list of search suffixes so it has added a default search suffix which is that weird Q Aid GS say it's Global score access. local which is why when I typed in that single label name it was single label name do weird. globalcu access. local so let's go and look at all of those things together so we go back to our machine so now I'm in here so remember we saw weird name the app ID of my quick access. Global access. local now if I was to open up my network properties and I look at my properties Advanced DNS look what it did append these DNS suffixes it added that quick access id. Global access. local so that's why when I just typed in a single label name what it actually searched for it searched for single label name dot that suffix gu. Global secure access. local which is why it then could new to go and send it to Global secure access to send it to my connector to be able to resolve the name what it all also did if I do get there we go DNS client policy is it added two policies one for that custom suffix I added added SV tech.net and one again for the giant guid Global secure access. loal now it does not show me in this output the name servers because this command only shows the name server if its IP addresses and as we know what it is configured is a fully qualified domain name for the DNS server so that's why it's not showing there but it has actually configured it to be hey for these two suffixes those name spaces send it to this target which is then sending it via the GSA client it's tunnel to the entra edge all the way through to go and get resolved and now now that that's just working for me and again completely transparently from what I need to do or know if I type in some resolver name through an application through it doesn't matter where it's part of the OS the core DNS configuration if I put in a single label name it's going to add in that weird suffix it knows to send that to the GSA client or if I typed in a fully qualified domain name that was ending in the custom I can have lots of custom suffixes it knows to send that to the client the GSA client sends it to the enter Edge which then sends it to the connector the connector then sends it to the DNS servers it uses so those custom suffixes that I added would be ones that I use in my private Network so then these DNS servers it talks to would be able to resolve those it sends me back the result and it sends it back all the way way here fantastic but there's actually some more interesting things it's not just transparently passing through the network there's actually a complete DNS component that makes up part of this service so what's actually happening here is inside this edge here is actually a DNS service so when I'm doing that name resolution request so hey I'm something's typed in here hey I'm trying to resolve something well yes it goes over the GSA tunnel to this special DNS service so this DNS service actually has a cache as well and it says do I have what they're looking for in my cash already now let's say it doesn't for now it's not in there so it's not in there so now it has to go over this connection ask the connector the connector then says oh I'll go and ask my DNS service it gets the result back so the answer sends the answer back this gets sent the answer and now it will add it to the cache so the cash now has that answer added to it sends the answer down and voila I had the IP address fantastic now imagine remember said there's lots of points of presence edges in the makeup entra well now imagine I have a certain population of users this is not one machine now imagine it's a thousand machines and a thousand machines all doing the same DNS lookups before what would have happened is a thousand times it would talk to the DNS service a thousand times it will have to talk to the connector it may do some caching its own but then hey it has to goes and talks to the DNS server there's a lot of load against my infrastructure I'm using up traffic I'm using up power of the connector I'm using up connectivity to DNS services and also it it takes some time because it's talking to this talking to that response is back the first machine does exactly that it has to have to better go and get the record machines 2 through 1,000 or 10,000 whatever the number goes here oh it's in the cache here's the response so only the first one has to actually go through that entire process every other connection for resolving that same name doesn't it just goes and gets it from the cach so they're going to not only save work on my connectors and my infrastructure they're going to get a much faster response because now I'm just fetching it from the cach and again this is not a global cache they would be in the same geographic location so there's talking to the same point of presence on that entra edge so if I had a particular popular in London just making up locations with no reason in particular uh or New York they would be talking to different pops who have their own caches so the first person at each geographic location would go through the complete flow number two would just get it from the cache 345 etc etc and so this DNS is actually fantastic so that quick access now I just put in the suffixes I can still use single label names on this machine it knows hey well let's send it try and see if we can resolve it this way and then every other person can just go and get it from the cash based on the time to live of the record but something may be troubling you how did my machine resolve if it by default adds this huge guid based suffix and what I said was so this gets added to the default so I just typed in that single label name and then that gets sent bya the DNS service which then goes to the connector which then queries its DNS so servers to get the response my connector and my DNS server have zero clue what longid Global secure access. local is so how is that possibly working and the way it's working is that app id. global access. local is known as that default special suffix that we added so what actually happens is when that name resolution request um apo1 dog. Global secure access. local is sent to this service it strips off the ged. globalcu access. local and then just sends the single label apo1 here to the connector and then the connector will use its default suffixes so hey I typed in Appo apo1 do on its own just apo1 my local DNS suffix added that grid. globalcare access. local that got sent to here it said oh it's dog. global. local I'll strip that off and just send the single label name so single label name gets sent over here the connector says oh okay I'll add my default suffixes which isav tech.net so now it's searching for apo1 doav tech.net oh yeah I can resolve that here's the answer here's the answer answer is sent back so that's that that bothered me the first time I was looking at and that took me a little while to get that's what's happening and so the key point is it's just going to work for the users and I have full control of for the more sensitive apps different classifications I should go and add them as specific apps because then I can add specific conditional access policies exactly as you saw for me I've required certain risk I required an authenticator app based MFA I can also have one quick access configuration maybe for more General sets of requirements that I've maybe not got to create dedicated apps for yet maybe I will over time but I have to get that um connectivity up and running but for the end users they're probably used to just maybe typing in a single label name so I can turn on private DNS and have a default which is going to be this magical grid based which will get stripped off when it's sent to the DNS service and then looked up against its default suffixes and I can also add the custom suffixes so if they do type in a full name doav tech.net or whatever yours are remember this client on its own wouldn't be out to resolve those names it doesn't have a DNS resolution to what are private zones inside your company and so the global secure access client is said hey if you see this suffix just split DNS send it to me I'll deal with it it sends it to the DNS service which can go and resolve those names and it's not just blindly forwarding through the DNS service has a cache so only the first request actually goes through the connector is load on the connector is load on my DNS to get the response back second third fourth hey those are just going to come from the cash and save the load on my infrastructure but also accelerate the experience of that second third fourth person in that particular geographical region and again it does that handling of the single label names for us by stripping off that Global secure access Zone when it sees it to just go and use whatever those defaults are here now obviously I always talk a lot about technology I enjoy it a lot but hopefully you saw the actual configuration was really really simple the the net result of all I did really was what I named a couple of apps so I I put in an application and I just told you what segments it was based on IP address TCP and or UDP the port that's all I had to do and I could go and create a conditional access policy for it and then for a larger broader range hey these ports these protocols these ranges yeah I want the end user to be able to type in fully qualified domain names for my custom Zone which ordinarily it would have no way to resolve and if they put in a single label name hey I want you to handle that for me as well which we saw it does exactly and that is it that was my goal for this video to just show this super powerful and for the user completely see less technology to access hey my non web TCP or UDP applications but it's super granular I'm only enabling just enough I'm only accessing the particular ports and protocols I need for the job that I get to pick it's not some broad network access every request I'm applying conditional access policies based on those particular applications and it actually would accelerate the Eng us your experience when I'm thinking of those as resolutions and of course this is one part of the story we have Microsoft entra Internet access we have the regular entra capabilities for all of our entra integrated apps for the authorization which applies to conditional access and it really just gives me that that full connectivity as always I hope this was useful and until next video take care for

Info

Channel: John Savill's Technical Training

Views: 31,386

Rating: undefined out of 5

Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, azure ad, microsoft entra, entra, security service edge, zero trust network access, ztna, private access

Id: RsxxsEzQhrM

Channel Id: undefined

Length: 61min 8sec (3668 seconds)

Published: Mon Jan 15 2024