(93) Microsoft Entra - Global Secure Access
- Mr B SOE way
- Oct 17, 2023
- 4 min read
A few months ago, I touched briefly on Microsoft Entra Internet Access here. Today I will be covering the relevant topics around Microsoft Entra - Global Secure Access.
What is Microsoft Entra Global Secure Access?
Microsoft Entra Global Secure Access is a state-of-the-art platform designed to enable secure and efficient access to resources across organisations. It serves as a gateway that allow users to connect to corporate applications, data and services regardless of location.
What is Microsoft Entra Private Access?
Microsoft Entra Private Access is a cloud-based solution that utilises the Azure application Proxy access model providing a Zero Trust Network Access (ZTNA) framework. By leveraging Azure App Proxy, administrators can effortless publish private web applications that resides on-premises without the need of a VPN client, simply by installing the connector or an on-premises server.
Using Microsoft Entra ID (Azure AD) authentication and conditional access policies, administrators can ensure device compliance and enforce multifactor authentication (MFA) if necessary. Microsoft Entra Private Access extends the functionality of Azure Application Proxy to accommodate TCP and UDP based applications such as RDP, SSH, SMB and HTTP/s.
Note: App Proxy requires a Windows Server 2012 R2 or later to run, and the minimum version of the connector required for Private Access is 1.5.3417.0. Alternatively the latest version can be downloaded from https://download.msappproxy.net/subscription/d3c8b69d-6bf7-42be-a529-3fe9c2e70c90/connector/download. For any HA environments, it is recommended to have more than one Windows server.
Instructions:
1. Navigate to https://entra.microsoft.com then select Global Secure Access then select Connect then select Connectors then select Download connector service.
2. Select Accept Terms & Download.
3. Once downloaded, run the installer followed by logging in with an account. Ensure this account has Application Administrator assigned.
4. It will show up as installed successfully. Select Close.
5. Navigate back to the Microsoft Entra, and select Configure an app. Then select Enable application proxy.
Key features and benefits of Microsoft Entra Global Secure Access
1) Universal Conditional Access
With Universal Conditional Access, you can utilise Conditional Access policies to safeguard traffic profiles such as requiring MFA, requiring device compliance with device standards or risk levels. This can be applied to both network traffic and cloud applcations to achieve Universal Conditional Access.
2) Universal Tenant Restrictions
The functionality of tenant restrictions v2 is enhanced by universal tenant restrictions which utilise Global Secure Access to tag traffic regardless of the operating systems, browsers or device form factor. This approach supports both client and remote network connectivity, eliminating the need to manage proxy server configurations or complex network setups.
Navigate to https://entra.microsoft.com then select External identities then select Cross-tenant access settings then select Edit tenant restriction defaults.
Then update the changes as needed and save changes.
Note: Before you can use universal tenant restrictions, you must configure the default tenant restrictions and tenant restrictions. https://learn.microsoft.com/en-us/azure/active-directory/external-identities/tenant-restrictions-v2
3) Compliant Network Check
By leveraging Conditional Access with Global Secure Access, this can effectively prevent malicious access attempts to Microsoft apps, third-party SaaS apps and private LoB applications. The compliant network check ensure that users connect from a trusted network connectivity model to their tenant and adhere to security policies.
The Global Secure Access Client installed on devices or configured for remote networks ensures resources will be secured behind a compliant network with advanced Conditional Access controls. Note: The compliant network check is unique to each tenant, which gaarantees that other orgs utilising Microsoft Global Secure Access services cannot access your resources.
Navigate to https://entra.microsoft.com then select Global Secure Access then select Global Settings then select Session management then select Adaptive Access. Enable the option and save changes.
Next navigate to Microsoft Entra ID Conditional Access then Named locations. Once enabled, you will see All Compliant Network locations automatically created.
4) Remote Networks
Using Remote Networks relate to distant locations or networks that need internet connectivity. This can be done by installing a client on end-user devices and configuring a remote network such as brand location with physical router.
To set this up, this needs to be onboarded. This is a one-time process.
Navigate to https://entra.microsoft.com then select Global Secure Access then select Devices then select Remote network then select Onboard your tenant.
To establish a connection between a remote network and Global Secure Access, configure IPsec tunnel between on-premises and designated Global Secure Access endpoint.
5) Traffic Forwarding Profiles
By utilising traffic forwarding profiles within Global Secure Access, this can done by applying policies to network traffic tha require security and management within the organisation. The network traffic is assessed against the configured traffic forwarding policies being applied previously and traffic directed to the applications and resources.
Navigate to https://entra.microsoft.com then select Global Secure Access then select Connect then select Traffic forwarding then tick the boxes.
Traffic passes through Global Secure Access, it will evaluate the Microsoft 365 profile then Private access profile. If traffic does not match, it will not be forwarded to Global Secure Access.
6) Logs and Monitoring
There are three types of logs:
a) Audit logs - https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-access-audit-logs
b) Traffic logs - https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-view-traffic-logs
c) Enriched 365 logs - the logs can be obtained from Log Analytics workspace and Microsoft Sentinel.
To enable and connect Office 365 traffic, navigate to https://entra.microsoft.com then select Global Secure Access then select Logging.
Коментарі