With the rise of hybrid work, identity and network security professionals are now at the forefront of protecting their organizations. Traditional network security tools fall short in meeting the integration, complexity, and scale requirements of anywhere access, leaving organizations exposed to security risks and poor user experiences. To address this, network security and identity must function as a unified force in defense. Only when identity and network controls deeply integrate into secure access, can we fully deliver on the core Zero Trust principles, where trust is never implicit and access is granted on a need-to-know and least-privileged basis across all users, devices, and applications.
Microsoft Entra Internet Access
On July 11th, 2024, we announced general availability (GA) of Microsoft Entra Suite, which includes Microsoft Entra Internet Access, part of the Security Service Edge (SSE) solution. Internet Access secures access to all internet and SaaS applications and resources with an identity-centric secure web gateway (SWG) solution, unifying identity and network access controls through a single Zero Trust policy engine to close security gaps and minimize the risk of cyberthreats. Our solution integrates seamlessly with Microsoft Entra ID, eliminating the need to manage users, groups, and apps in multiple locations. It protects users, devices, and resources with capabilities such as universal Conditional Access, context aware network security, and web content filtering, so you no longer need to manage multiple disconnected network security tools.
Figure 1: Secure access to all internet and SaaS applications and resources, with an identity-centric SWG.
Unified identity and network security
Our deep integration with Entra ID enables Conditional Access, and later continuous access evaluation (CAE), to be extended to any external destination, internet resource, and cloud application, even if they’re not integrated or federated with Entra ID. This integration with Conditional Access enables you to enforce granular controls, leveraging device, user, location, and risk conditions by applying network security policies tailored to the requirements of your enterprise. Additionally, Microsoft Entra Internet Access provides enhanced security capabilities, such as token replay protection and data exfiltration controls, for Entra ID federated applications.
Figure 2: Rich user, device, location, and risk awareness of Conditional Access for network security policy enforcement
Protect your users with context aware network security
With Microsoft Entra Internet Access you now can link your network security policies to Conditional Access, providing a versatile tool that can adapt to various scenarios for your SWG policy enforcement. Now with web category filtering, you can easily allow or block a vast range of internet destinations based on pre-populated web categories. For more granular control, you can use fully qualified domain name (FQDN) filtering to establish policies for specific endpoints or override general web category policies effortlessly.
For instance, you can create a policy that allows your finance team access to critical finance applications, while restricting access for the rest of your organization. Furthermore, you can add risk-based filtering policies that dynamically adapt to a user’s risk level with Entra ID protection to restrict access to these destinations for members whose user risk is elevated, providing additional protection for your organization. Another great example is just-in-time access to Dropbox, while blocking all other external storage sites, to leverage deep integrations between Microsoft Entra Internet Access, Conditional Access and Entra ID Governance workflows.
In the coming months, we’ll be adding new capabilities such as TLS inspection and URL filtering to provide even more granular control for your web filtering policies. Plus, we’ll be adding Threat Intelligence (TI) filtering to prevent users from accessing known malicious internet destinations.
Provide defense in depth against token replay attacks with Compliant Network check
With the addition of the new Compliant Network control, you can prevent token replay attacks across authentication plane by extending Compliant Network check with Conditional Access for any Entra ID federated internet application, including Microsoft 365 applications. This feature also ensures that users cannot bypass the SSE security stack while accessing applications. Compliant network eliminates inherent disadvantages of source IP based location enforcement – that of cumbersome IP management and traffic hair pinning of remote users through branch networks.
Protect against data exfiltration by enabling universal tenant restrictions (TRv2) controls
With Microsoft Entra Internet Access you can enable Universal Tenant Restriction controls across all managed devices and network branches, agnostic of OS and browser platform. Tenant Restriction v2 is a strong data exfiltration control enabling you to manage external access risks from your managed devices and networks by curating a granular allow or deny list of foreign identities and applications that can or cannot be accessed.
Figure 5: Universal tenant restrictions
Avoid obfuscating original user source IP
Traditional third-party SSE solutions hide the original source IP of users, only showing the proxy IP address, which degrades your Entra ID log fidelity and Conditional Access controls. Our solution proactively restores original end-user source IP context for Entra ID activity logs and risk assessment. It also maintains backward compatibility for source IP based location checks in your Conditional Access policies.
Deliver fast and consistent access at a global scale
Our globally distributed proxy, with multiple points of presence close to your user, eliminates extra hops to optimize traffic routing to the internet. You can connect remote workers and branch offices through our global secure edge that’s only milliseconds away from users. We have thousands of peering connections with internet providers and SaaS services, and for services like Microsoft 365 and Azure, you avoid performance penalties through additional hops and improve overall user experience by sending the traffic directly to Microsoft WAN infrastructure.
Figure 7: Microsoft's global Wide Area Network (WAN)
Attain deep insights and network analytics using in-product dashboards:
Our comprehensive in-product reports and dashboards are designed to be easy to digest and share a complete holistic view of your entire ecosystem within your organization. You can monitor deployment status, identify emerging threats through comprehensive network and policy monitoring logging, and address problems quickly. Our dashboard delivers an overview of the users, devices, and destinations connected through Microsoft’s SSE solution. We show cross-tenant access within your enterprise, as well as the top network destinations in use and other policy analytics.
Figure 8: In-product dashboard
Microsoft Entra Internet Access architecture overview
Microsoft’s SSE architecture for client and branch connectivity streamlines network access and security. Global Secure Access standalone client on the endpoint is currently available for Windows and Android; MacOS and IOS are coming soon. Branch connectivity relies on site-to-site connections from network devices to Microsoft’s SSE edge services; Microsoft traffic is now available, with Internet Access Traffic being added soon. Traffic from both client and branch connectivity models is secured and tunneled through Microsoft’s SSE edges. Additionally, we have partnered with HPE Aruba and Versa to integrate our SSE solution with their SD-WAN offerings, with additional SD-WAN partners coming soon.
Side-by-side interoperability with third-party SSE solutions
One of the unique advantages of Microsoft’s SSE solution is its built-in compatibility with third-party SSE solutions where it allows you to acquire only the traffic you need to send to Microsoft’s SSE edges. For example, you can enable the Microsoft Traffic profile to manage Microsoft 365 and Entra ID traffic and optimize performance for your Microsoft applications while using other providers for remaining traffic. Configuring traffic forwarding profiles is straightforward, allowing for precise control over traffic for internet and SaaS traffic, including Microsoft 365. Traffic profiles are also user aware and can be directed to specific groups in your enterprise as appropriate.
Figure 9: Flexible deployment options
Conclusion
Microsoft Entra Internet Access offers a robust, identity-centric SWG solution that secures access to internet and SaaS applications. By unifying Conditional Access policies across identity, endpoint, and network, it ensures every access point is safeguarded, adapting to the needs of a hybrid workforce and mitigating sophisticated cyberattacks. This strategic shift not only enhances security but also optimizes user experience, demonstrating Microsoft's commitment to leading the transition to cloud-first environments.
Learn more and get started
Stay tuned for more Microsoft Entra Internet Access blogs and for a deeper dive into Microsoft Entra Private Access. For more information, watch our recent Tech Accelerator product deep dives.
To get started, contact a Microsoft sales representative, begin a trial, and explore Microsoft Entra Internet Access and Microsoft Entra Private Access general availability. Share your feedback to help us make this solution even better.
Anupma Sharma, Principal Group Product Manager
Read more on this topic
- Simplify your Zero Trust strategy with the Microsoft Entra Suite and unified security operations platform, now generally available
- Microsoft’s Security Service Edge products now in General Availability
- Microsoft Entra Internet Access
- Microsoft Entra Private Access
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Updated Sep 18, 2024
Version 2.0
Anupma_Sharma
Microsoft
Microsoft
