Techie introduction to Microsoft Entra Internet Access & Microsoft Entra Private Access

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome I've been actively involved in Microsoft private preview of Microsoft enter internet access and Microsoft enter private access components of which were released into public preview on the 11th of July the umbrella name is global secure access which embodies zero trust network access to M365 Services access to other internet services and private applications those private applications might be hosted in your data center or another cloud also included is a major enhancement to tenant restrictions these services are real game changers and I want to show you what these new technologies are and how they can enhance your organization's security if you watch the re-image secure access with Microsoft intra announcement yesterday you'll also seen that Azure ad is no more before you panic luckily it's only a name change expect to see the name change rolling out over time in all the ux's and the documentation there's no impact on management or development this is a long video but there's a lot to mention I've done an intro which covers the reasons for the technology if you want to jump straight to the how it works check the timeline in the description let's get started don't forget to subscribe and keep learning and please click that Bell to keep up to date come with me into the cloud I want to start with an introduction then we'll go and look at client 2 app connectivity we'll have to have a look at what internet access is private access and then finally Universal tenant restrictions but let's start by actually setting the scene and thinking about what is Microsoft enter internet access what is Microsoft enter private access well they're umbrella in the portal under Global secure access and Microsoft are enhancing their Suite of cloud Security Services to really help with securely connecting anyone from anywhere with any device to applications and services that are anywhere and of course doing this in a very secure way July 2023 well in fact it was yesterday which was the 11th of July the first features of this new service were released into public preview which I'm really excited about now I want to just reflect on a couple of key Concepts that were coined by Gartner so the first one was the secure access service edge or sassy that was in 2019 and Sassy uh with cloud services providing zero trust network access I'll come back to that what is that cloud access security broker now Microsoft already have a cloud access security broker and that is Defender for cloud apps and the idea is you've got a user who is connecting into an application and we can monitor what's going on between that application and that user so we can look and block maybe file downloads or we can say you can download certain files but not other files we can look at data loss prevention and have lots of policies involved secure web Gateway and this is about really protecting your organization from the internet so blocking access to certain URLs filtering content blocking access to certain characteristics of different websites that you may not want your users actually going to and then firewall as a service is another feature built in and then software-defined wide area networks what if we think about it we've got a cloud provider providing the most amazing Global Network well why not allow our users to connect in and use that Network and develop it as a software defined one sort of eliminating the need for mpls and so on so in 2021 Gartner coined the phrase security service edge and basically it's all the security features of sassy without the software defined Wan now I said I come back to ztna ztna is zero trust network access and we can have various zero trust components in our system but the key thing is we always verify so it's not about not trusting someone it's not trusting them once they're in our system without continuously verifying them so verify explicitly every time someone wants to do something check that they're allowed to do what they're trying to do and base it on lots of signals so signals from the device they're on signals from the device health and you know their identity obviously what they're trying to guess at what their geolocation is bring all that information in and continuously verify the next thing is use least privileged access now traditionally that's always been thought about as administrative roles so if you don't need to be a global administrator let's make you an administrator that can just do your task I.E least privileged Administration but actually it's way more than that it's about entitlement as well what applications is a user allowed to use make sure it's only the minimum set and then we can use application segmentation to limit application access as well so least privilege access and the thing is we have to these days assume breach we can't assume our systems are protected so we got to continuously monitor all our resources combine that with AI with threat intelligence bringing in all the signals consolidating them for extended detection response automating tasks with playbooks and so on so the three tenants of ztna verify explicitly use least privileged access and assume breach now vpns have always been very traditional hey how do we get our remote worker onto our Network so they can do things oh pull up a VPN the problem is with vpns they connect the user to a network or network segment rather than a specific application and in the last attacker and notice I put with credentials I haven't put with compromise credentials in there because a huge number of attackers are coming from our internal people with credentials once they're coming on the VPN their access to multiple resources they're on the network they can do reconnaissance they can do lateral movement and then you know you have a VPN and it's possibly a fixed Appliance or appliances and then connection scaling becomes a problem you know you need to scale up more connections because suddenly coverts come along and suddenly all your workers are working from home you've got to deal with performance you've got to deal with redundancy and it's all challenging it's all costly another disadvantage is clients connecting may have to Traverse the internet imagine a client at some remote location in another country and they want to get at a SAS app and they're coming in through the VPN so they're coming all the way across the internet to the VPN point and then maybe they're going all the way back to the country they're in to access the app that's you know in a data center just a few hundred yards down the road and then you've got excessive overhead in managing access to cloud services so vpns are not great now if we think about a security service edge what can it do for us well number one if it has a global presence our users connect to the nearest pop regardless of where they're located so we're not traversing all over the Internet we're just coming in at a local point of presence scalability performance redundancy all managed by the cloud so we don't even have to think of it and then what we've got is we can go to our applications and they might be sasabs they might be internet websites they might be our on-premise apps or in fact apps that are private to us that are in multi-cloud and of course with SSE we can impose whatever security controls that cloud provider is giving us so maybe we got firewalls as a service we've got a secure web gateways of service we've got DLP as a service and many more different features all access the SSE and applications are authenticated and continuously verified ticks the Box verify explicitly is limited to application says segments so that gives us our least privilege access and all traffics and behaviors are constantly monitored so that deals with our assume breach so our three tenants from ztna tick tick tick now if we're looking at someone providing an SSE service and it's a cloud provider doing this what they need is a fast highly reliable secure Global Network we need geolocated points of presence so we're clients can connect in we need high performance reliability and scalability of virtualized services so if we've got a virtualized set firewall we've got a virtualized in a Gateway of some kind it needs to be virtualized in the correct location so that's all got to be geodistributed and it's going to be fast and then we need best of breed identity and access management implementing a zero trust framework and you need state-of-the-art threat intelligence well you know what Microsoft ticks all the boxes so welcome to the public preview of Microsoft intro internet access and Microsoft enter private access I say it's all bundle Under the Umbrella of global secure access I want to start by looking at client to application connectivity and here I produced my own sort of diagram or graphic uh Microsoft May throw their hands up in the horror when they see this but actually I think it explains the story quite well you have an edge where your clients connect and you have an edge where we've got access to the applications we've got Microsoft enter ID which you know is the rename of azure active directory and with enter ID we've got authentication and conditional access there's a two core components so when a client connects we can actually authenticate to the client Edge and also when we're going to an application we can authenticate the user to the application as well and impose conditional access policies and then of course between the two we can put in any other security controls that might be available and then we make the service worldwide so it's everything is geo-located in terms of our points of presence and so on so we have a client wants to connect it establishes a secure authenticated tunnel and to do that it's going to be running our clients going to be running a GSA client now at the moment there's only a GSA client available for Windows 10 or 11 but they will become more available and there's an alternative to a GSA client as well which I will talk about shortly now on the connection we are we've got this secure authenticated tunnel established and I'll go through that in another video the details of that tunnel we've got the user is auth and also we have got CA evaluation so with CIA evaluation is where's the user coming from what's the device they're at is the device compliant you know and so on we can check all of that really rich secure evaluation so assuming we're on the edge but you might be thinking well hang on a minute why did we send the traffic to the edge well that's where we get our traffic forwarding profiles so there's a traffic folding profile for Microsoft 365. there's one for private access which is access to our private applications and there's one for internet access now Microsoft 365 if you like is a subset of internet access 365 access private access is there in the private in the public preview that's now available internet access will follow at some point in the future these traffic forwarding profiles Define what traffic should be forwarded to the edge and that information is actually sent to the client or the client downloads that information it stores that information in a registry key and you know in another video I will show you that registry key and how we can look at the traffic profile we've got our client connected the next thing is connecting to the application so in terms of the intra internet access one of those components is m365. so it's specially called out because M365 also has tenant restrictions associated with it as well and again I'll talk more about tenant restrictions shortly we've got connections to sasabs and internet websites and we've got connections to the internet private access which is all those great things that are private to us and they might be on-prem they might be in one of many different clouds so we can deal with multi-client environments and remember when we're going to the apps we are going to be authenticating we're also going to be running conditional access policies now you might think all this is lovely but what if I don't want to run a GSA client on my client machine or what I can't because there isn't one available well what we've got is the ability to use a branch office connection so we go from the the customer premises equipment or the CPE we go from that through an ipsec ik ev2 tunnel to the edge and that terminates the connection and then applies all the great features of the secure service edge now you might think well how does our branch office know how to root traffic well here what we're doing is we're advertising through border Gateway protocol so border grape or bgp advertises The Roots I've mentioned conditional access policy a number of times and we're probably all familiar with conditional access policy a couple of new features in conditional access policy number one when we can actually say if you are going with Microsoft 365 traffic impose this conditional access policy if you're going with internet traffic this one and if you're going with private traffic bring in another policy so we could have different Cas depending on which traffic profile we're using and then when we're going to the application again we're running a CA policy to go to the app and what we can do here is say that you can only go to the app if you're coming from a compliant Network location I.E from our Z TNA network if you're trying to go directly over the internet you'll be blocked so that's another nice conditional access policy feature that's been introduced let's do a demo of all this so I'm going to start off with this demo with a a tour of the portal and then we'll look at the client to M365 access so here's my portal um in the Microsoft intra admin Center and notice the rename in there uh Microsoft intra ID Azure 80 right let's uh go off into the get started on global secure access and what we've got is the Microsoft enter internet access and the Microsoft enter private access and if you click on get started it will take you over to the appropriate documentation if we go to our dashboard on our dashboard we can see a number of things going on well I've I've got a very small test environment I've got two devices I've got two users uh I do have 40 workloads in my environment but in terms of testing and the global secure access I only have two devices and two users but what we can see is cross tenant access and down here it says config a universal tenant restrictions whatever they are we'll come back to that and then we've got the top user destinations being shown as well okay so that's a really useful dashboard next thing under devices what we've got is clients and this is where you download the client to go on your Windows 10 or 11 operating system okay there is a requirement it needs to be Azure ad join the device reason me of course because that initial is going to create is device authenticated as well so that's where we get our client from and then if we're going to do a branch office we create a remote Network and I will come back on that so in terms of private access we've got quick access and we've got Enterprise applications again I will come back on both of those now there's some Global access settings and one of them is the session management and if we look at session management we have two options here tenant restrictions and this is where we can use the network for doing tenant restrictions again I'll come back to what tenant restrictions are and then you've got adaptive access which is where we've got signaling that can be used in conditional access and also in continuous access evaluation and also it does client IP restoration so we actually know the address that the client we're coming from rather than the point where we come into the secure Edge then under here also we have the ability of setting up logging and this is one thing they've done there's a lot of really good logging for SharePoint teams is to come shortly exchange is to come as well so enhanced logging and faster logging as well takes place and then if we if we go down under secure you'll see policy profiles and web filtering policy and if you click on one of those you'll come up with this message here this message will say to you um you know join our private preview because this is part of internet access and it is to follow and that will apply to the web filtering policy as well we go down to connect and I look at traffic forwarding and at the moment we've got two traffic forwarding profiles one for M365 one for private access there will be an internet one at some point then if we go on and actually look at connectors and I've got my private connectors again it's using an application proxy connector and I will come back on that and then finally um down here in the ux we've got monitoring and we've got audit logs and those are really good and powerful but again they're finishing that feature off we've got traffic logs which will log all your traffic in the ecosystem and we've got also the enrich M365 logs and workbooks for doing analysis on our logged data let's go to our client and actually look at some of this going on so I've got on my client I have the GS say client installed it's currently disconnected so with it disconnected let's do some pinging so we're going to Ping the XCS Dev and it's coming out at 13 as a IP aying xtfs um sorry ping login.microsoftonline.com and again it's coming out with a 40 IP Let's uh now go to SharePoint and we're going directly to SharePoint we're not coming in through the security service edge so let's now enable the client and what I'm going to do once it's enabled I'm going to also actually switch users because this will cause my user to re-authenticate on the network and there we are and there's our re-authentication Network James Bond and we've got another one okay I'll come back to that why we've got two you might be able to guess but I'll come back to it now if I do my ping to log on Microsoft online I'm going to 6.6 and if I do my ping to SharePoint I'm going to 6.6 again I'm going in on the edge if I go across to the SharePoint itself I'm now connecting through my security service edge in to SharePoint which is really great what I can do is I can actually look at this traffic I've got a connection Diagnostics here I'm going to turn that on and if we look at the hostname acquisition we'll see it acquires very shortly and then I can look at the flows so I'm going to start off by going back to SharePoint and having gone to SharePoint we'll go to Outlook as well and both of those are going through the secure service edge so let's look at that traffic and we can see it's there so we got SharePoint and then we've got Outlook DOT office 365.com so Zach's actually being captured this is a useful tool to have available so now if we look at the sign in logs uh in I have to get it right intra ID all right so we've got in here we've got James Bonds come in and he has just come in to the private Network that was his first login and then if we look at the next login we'll see that James Bond has come in on the M365 network profile so two authentications right but we've got conditional access running if we want to we've got this sign in that's happening so actually let's go and look to see what we could do so I'm going to go to a policy and I've got a policy already cooked down here and if we look at my policy 27 what we can see is we've got users and it's very much focused on my users I'm testing with so I have my user James Bond the target resource now is a network profile and I'm targeting microstar 365 traffic and whatever I want to happen is when we're going to James Bond is going to Microsoft 365 traffic I'm going to Grant but I'm going to Grant access subject to him agreeing the M365 Network terms of use so that if you want to get access you've got to sign up to the terms of use so let's actually enable this and I'm going to save that and now let's go and experience this so I'm going to come back over into my client I'm going to come in here and switch user which is going to cause re-authentication to the network I'm going to go in as James Bond again and this time James Bond is being asked to agree the terms of use so our conditional access has come into play now I could have done MFA to catch the network but you know James is on a Windows Azure ad registered machine he's actually got a strong authentication already so it wouldn't have shown much by turning it on because it's already got strong authentication so we're going to agree the terms of use so we're going to read this comprehensively except that and having accepted that we're going to again as James Bond for the other network now there were no terms of use on the other network okay now what I want to do now is look at a slightly different policy and this is the policy when I'm going to SharePoint so here is James Bond the application is SharePoint and now I'm saying the condition when I go to SharePoint is any location so this policy will apply to any location excluding the compliant Network so Edge Network locations okay so what I'm going to do now is actually have a look at what I'm going to do in terms of control and I'm going to block access so I'm going to block access to any access to SharePoint unless it comes from the compliant Network so let's try that out and see what happens so we go on there we'll save that and now what we'll do is we will just check that we can get to SharePoint which we can as expected we're coming across the compliant Network and then what we're going to do is we're going to disable the client so we're going to pause the client and then we're going to go to SharePoint again and we're going to go in and log in as James Bond and he says you can't get that right and the reason being of course is that sharepoints detected that you well not SharePoint but the system's detected that you are not coming from a compliant Network and so is blocking access all right let's resume so we're going to go back um it's it's already got our tokens so I don't have to sign in again and now we're going to SharePoint and connect as James and we're in which is perfect okay so in terms of the devices we have the clients but we also have the ability to have a remote Network and by the way I I recorded this um this part of the video before I realized I'd misspelt my Branch it should be Branch 1a1 so if I look at links what I've got in here is I've got the primary and the secondary links I got two links coming from the Microsoft environment to my branch office and if I look at my traffic profiles it actually shows I can't select the internet traffic profile and I can't select private at the moment but it shows it's M365 traffic so at the moment the branch environment works with M365 traffic so now if I go and have a look at my customer premises equipment which happens to be an azir vng I can see that I've actually got two connections if I look at the bgp routing what I'll see is that this particular CPE has acquired all of the roots and where do they get those roots from it got them VA bgp advertising so that's client M365 connectivity so what I want to do now is look at internet access oh I can't so we'll have to come back to this on another video later on when it goes into public preview it's about to go into private private is under NDA and I can't talk about anything that is in the private preview so private access is where we access applications that are private to us and probably not on the internet what we have in private access is we have the security service edge which is going to talk down to a remote endpoint and that remote endpoint could be on-prem it could be in another Cloud it's basically trying getting us to applications that are not on the internet so we have to have this remote endpoint which is connected through a secure tunnel into the security service edge the beauty of this is that it supports connections for IP fully qualified domain names and ports so we got IP ranges we can use fully qualified domain name wild cards are supported as well right at this moment it only supports TCP UDP support will be coming and it allows connections to http https RDP SSH SMB and so on okay but as I say the Restriction at the moment is that it only uses TCP protocol how do we publish an application very easily we basically create an application segment which has a Destination type which could be IP it could be a range of addresses or it could be a fully qualified domain name and then we specify a port it's using effectively the application proxy connector now if you're familiar with the application proxy connector what you'd normally do is have an external URL you don't have that anymore this is basically published and known about out by the security service edge so the security service edge can root traffic appropriately so it can root traffic to 10.0.0.27 and know which connector to send it down to also you do not have any internal URLs it's all done on ipfqdn and port number and the other thing is it's represented this connection via an Enterprise application and with Enterprise applications of course you can assign users to them and you need to assign a user to get access and you can apply conditional access policy now there's two flavors of this there's quick access and quick the idea of quick access gives you quick access and setting up to access to lots of different applications problem with quick access it's a single Enterprise app so it's a single conditional access for all of your quick access published applications we can also do per app access in which case we have individual Enterprise apps representing the apps which are in the cloud in this situation we can have conditional access that is applied to all of the different apps in your cloud or in in your on-premise environment in terms of routing um well what happens is the traffic forwarding profile has the routing information added to it so if you go from your client to 10.0.0.7 your client doesn't have access to that at all but the client knows to send that to the edge and then the security service edge knows that our 10.0.0.7 I need to send it over that connector to get to its Target system and of course the connection is actually gated as well so conditional access so let's have a demo of private access here I am in the portal again and what I'm going to do is go down and find quick access and what we can see is in under quick access is that we've actually just published a number of paths application parts or application segments so on 10.0.007 3389 has been published again 10.0.0.7445 and 10.0.0.7 Port 80. now of course I could actually have different destinations and those destinations could be defined by a fully qualified domain name or even a range of IP addresses and then I've got um a connector group that I'm using to which is my Nas Europe connect group which is actually allowing it to get down to my environment which is my test environment this is why I actually I've got RDP on a domain controller you know um so I should have separated that out as another application let's go and have a look at the user experience and if we look on here I'm going to my is server using 10.0.0.7 so you know the client knows nothing about 10.0.0.7 but the GSA client running on here of an agent if you like knows to forward that to the security service edge if we look at another one on here I've got my domain controller I've got RDP directly to it so I'm connecting this is actually using quick access so I could have a conditional access policy on quick access saying to make this connection you must use MFA if we go down there that is our domain controller and then last but not least I'll just show you a connection to SMB and this is an SMB connection to a file share and there's our data on the file share and we're actually going to read that data from the text file okay so that's really quite nice Let's uh look at the sort of per application publishing if you like but before we do that let's go into identity and look at Enterprise applications and we search in Enterprise applications what we'll find is quick access so quick access appears in Enterprise applications it means that we can apply conditional access to it we can also assign users so you can't gain access to quick access unless you've been assigned and I come in here and I look under policies and I just get a new policy and come in and I think yeah just actually let's just look at a Target resource just show that quick access is there foreign but remember quick access is we're bundling together access to a number of applications through connectors and actually it might be nice to publish them individually which we can do and I've got an individual app published down here so if we go to the Enterprise applications and there's my web Hub app and if I select that I can look at network access properties and we can see that with using a fully qualified domain name it's www.1.use.xdshub.com and it's going to go to Port 80 and we're using the same connector group to come through so let's actually just experience that and I'm just going to go back to my client and I'm going to go to my target using a fully qualified domain name and there we are successfully connected so that's private access for you our next thing to do is to look at Universal tenant restrictions when a user is on your corporate Network preventing them signing in using external enter ID tenant account or an MSA account is a challenge the reason being is you might have genuine users that need to sign in to a tenant and that's your tenant right or they might need to sign in with an MSA account so how do we decide how to block this if you know if it was signing in to Google signing into OCTA signing into One login we can just block it through a firewall rule but we can't block access to login.microsoftonline.com how do we manage it well we manage it with tenant restrictions and there are actually three flavors of tenant restrictions there's tenant restrictions for you one and with tenant restrictions V1 it was down to a network administrator to apply header tagging with a list of allowed tenant accounts into your customer premises equipment you had to get a network administrator involved in doing that so you've got to do SSL Inception you're going to do tagging there's no granularity it's all or nothing we can't do it on a p user basis we can't do it on a per application basis it doesn't prevent token injection or Anonymous access the data path is not protected and remote clients are going to need a hairpin VAR your corporate Network what happened is we tagged and then when we go to login.microsoftonline.com the enter ID looks at the tagging and allows or blocks authentication based on the tenant list which is in the tagging so that was V1 came along with V2 and the nice thing about V2 is that we can actually Define the tenant restrictions through the portal so that's a possibility we can bring it down to user group and application granularity the problem with V2 tenant restrictions is that the general restrictions are applied as a group policy to the operating system and then the browser is going to do the tagging for you the problem is it only works with an edge browser.net application is actually partial are not supported so although it's really quite nice um it and it protects not only the authentication path but it protects against Anonymous access it also protects the data path so if you've got a token injection it will protect you for that for M365 apps then Along Comes Universal tenant restrictions and this works when you're going to the edge and the tagging is automatically done at the edge so it has all the advantages of trv2 so Anonymous it does authentication and it also does actual data path access and it works with all JSA clients that's a or single client running the GSA client and it also works for branch offers let's have a little demo so I'm going to go in into my portal and I'm going down to cross tenant access settings and if we look at those cross-tenant access settings and the default settings for that and we're looking for tenant restrictions we can see that external users and groups all are blocked so this is when you're using an external account to go to an external resource right it's blocked and then we've got external applications again are all blocked let's actually go and have a look at this in action but before we do I'm actually going to pause my talents so I'm going to go off to My Demo SharePoint site right with my tenant paused and I'm going to sign in as Adele so Adele signs in and she should have access because we've got no tenant restrictions in we've just turned off the GSA client okay let's turn the client back on foreign sitting on my corporate Network on my device is going to use a remote or sorry an external identity so signing in as Adele again and this time access is blocked let's go back and have a look at the tenant restrictions in a bit more detail so rather than using the defaults I want to create one for an organization and this is the organization I want Adele to be able to go to and I need a tenant ID so I'm going to drop the tenant ID in there for contoso so that is my tenant and then what I'm going to do is I'm going to come down to the tenant restriction settings for contoso and I'm going to run the inheritive from default I'm going to change that to customize settings foreign and I'm going to allow access but I'm going to do it for just Adele so what I need to do is contact the contoso admin and get Adele's oid so we just drop in Adele's our ID in here and then I'm going to further enhance it by going to external applications and I'm going to allow access to a selected external application and this is just SharePoint so we'll look for SharePoint in here and that's the external the external application I'm going to allow a Dell to gain access to using her external tenant account okay so that set up that lot so let's go to My Demo SharePoint remember this was previously blocked so we're going to sign in as a Dell and having sign in this deal we should in theory be able to gain access and yes we can okay so that's really good uh and now let's go to Outlook and see what happens here and again we're going to choose our account I'm going to Outlook with and we'll put in our password and this in theory should be blocked which it is which is fantastic now the beauty of this is it works with branch office scenarios as well so here I'm on my Branch client I've got no GSA client installed on here I'm going to go off to SharePoint and I'm going to sign into SharePoint as Adele and that should work come on SharePoint so there's a Dell going into SharePoint and I'm hoping this will be successful which it is and then if we go to Outlook this will be blocked like and because the tenant restrictions and the tagging applies to our branch office scenario as well so that's from the branch office thanks for watching this session to the end now you know what Microsoft enter Global secure access is and its key components and that's Microsoft enter internet access and Microsoft enter private access watch this space well I'll do some deep Dives in this technology don't forget to subscribe and keep learning oh and click that Bell I'll see you next time in the cloud thanks for watching my channel subscribe for more free training you might like to join me for my identity masterclass hopefully see you soon [Music] foreign [Music]

Info

Channel: John Craddock Identity and Access Training

Views: 9,718

Rating: undefined out of 5

Keywords: John Craddock Identity and Access Training, Azure AD, Identity, Microsoft Entra, Security Service Edge, SSE, Microsoft Entra ID, Microsoft Entra Internet Access, Microsoft Entra Private Access, Zero Trust Network Access, ZTNA

Id: W2wM774n6Nc

Channel Id: undefined

Length: 51min 7sec (3067 seconds)

Published: Wed Jul 12 2023