YouTube Transcript:
A closer look at Microsoft Entra Internet Access

Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.

Video Transcript

Video Summary

Summary

Core Theme

Microsoft Entra Internet Access is a new Security Service Edge (SSE) solution that unifies identity and network security to provide secure, performant, and compliant access to internet and SaaS resources for a modern, cloud-first, mobile-first world.

Mind Map

Click to expand

Click to explore the full interactive mind map • Zoom, pan, and navigate

[Music]

hi everyone my name is samita Mystery I

a product manager at Microsoft on the

security service edge team and today

we'll be doing a deep dive into

Microsoft entry internet access and

joining me for my team are Frank and

Alexander for today's session session

we'll be doing a quick summary of

Microsoft security service edge solution

which includes Microsoft entra internet

access and then take a closer look at

the core internet access capabilities

our deep entra ID Integrations and

visibility and performance benefits but

first let's address some of the

challenges our new ssse solution helps

solve with a rising number of internet

resources and remote users to protect

against cybercity threats traditional

network security approaches just don't

scale to Modern demands of a cloud first

mobile first world the practice of hair

painting users and Branch offices to on

premises security Stacks often proves

slow and inadequate for the dynamic

needs of hybrid work

environments siloed and poorly

Integrated Security Solutions further

exacerbate these challenges introducing

complexity risks and unnecessary costs

while leaving critical security gaps

exposed further more the fragmented

nature of multiple Security Solutions

hampers our ability to effectively

defend against sophisticated cyber

attacks as Legacy systems lack the

capabilities required to address the

expanding attack surface and evolving

methods employed by cyber adversaries

even if you solve for modernized Access

you are still dealing with Silo

Solutions and end up managing your

policies across multiple tools expanding

identity and number controls exposing

integration gaps that skilled attackers

can EXP

Microsoft's s solution which includes

Microsoft entra internet access and

private access provides a unified

approach across identity and network

security that transforms the ways you

secure access our identity Centric s

solution helps you secure access to any

app or resource from anywhere where you

can enforce unified conditional access

policies all managed in Microsoft entra

with identity and network access

Solutions working together you can

Bridge the gaps across multiple Tools in

one place and configure unified identity

and network security controls with

conditional access in Microsoft entra

now let's touch on a few unique elements

and key differentiations of Microsoft's

SEC solution with this unified approach

we have collapsed the identity and

network security controls fully together

extending the reach of conditional

access and fully integrate with entra

including ID protection and ID

governance and our Integrations continue

across across other crucial zero trust

pillars in the Microsoft ecosystem such

as Sentinel InTune and Defender our

globally distributed proxy powered by

Microsoft's vast wide area network and

its many points of presence allows you

to optimally Route traffic including

Microsoft 365 to the point of presence

closest to the end user delivering a

fast and consistent hybrid work

experience plus you can seamlessly

acquire Microsoft 365 traffic and deploy

Side by side with thirdparty ssse

Solutions or traditional DMZ networks

allowing you the flexibility to choose

where you route your internet and

private traffic while receiving improved

performance for your Microsoft 365

traffic with Microsoft's s solution we

provide two flexible deployment options

device client model and Branch Network

model our internet access and private

access products share the same client

that can be installed on your end user

device our window Windows and Android

client is now GA and support for Mac OS

and iOS are coming soon in the future

the client will be inbuilt into the

windows OS stack and no additional agent

will be required and we will unify the

SSC and Microsoft Defender client to

reduce your deployment overheads in

addition to the client model we also

support IPC tunnel-based connectivity

from branch office routers to offer

coverage for any on-prem devices that

may not have the client installed

support for Microsoft traffic profile is

GA and support for internet access

traffic profile is coming soon now I'll

hand it off to Frank for a closer look

at internet access thanks samita the new

Microsoft entra Internet access model

will modernize and transform the way you

Ena Internet Security controls and offer

the peace of mind that security

practitioners need and deserve

additionally it will make your end users

happy by making their connectivity fast

and seamless a win-win for both security

and productivity with interet access you

can bring the power of conditional

access to any internet and SAS

application or resource this makes it

easy to manage your policies through a

unified zero trust policy engine we have

built a comprehensive Cloud delivered

network security tool set to help

protect against malicious internet

traffic and other threats from the open

internet and internet access leverages

Microsoft's globalwide area network with

points of presence close to the end user

resulting in improved performance with

our identity Centric secure web Gateway

solution you can secure access to all

internet and SAS apps and resources

protecting your organization against

internet threats we have introduced

Network traffic as a new resource type

in conditional access alongside Cloud

apps providing a way to unify and

centralize your network security

policies with identity access policies

as a result you can now seamlessly

extend identity location risk compliance

and device conditions to your entire

network security stack securing all data

traffic to any internet destination very

soon we are also bringing continuous

access evaluation to Microsoft entra

Internet access this will enable your

network policies to adapt dynamically to

changing conditions such as user risk

scores location device compliance

statuses offboarding users Etc it's an

easier more agile and integrated

approach to secure internet access for

your Enterprise built on zero trust

principles let's dive into the

conditional access controls for

connectivity to our solution we have

Global secure access as a resource

pre-integrated within the fabric of CA

you have the flexibility to configure

policies on any or all access to network

connectivity by default or to explicitly

select the applicable traffic profile

such as Microsoft apps or the rest of

internet traffic your users can access

these resource destinations only after

they acquire a valid token for our

service we provide zero trust coverage

even for resources that do not support

basic off and conditional access

natively now some heito will show you a

quick demonstration of universal

conditional access and CAE thanks Frank

in this example we will create a policy

that requires a company managed

compliant device before getting any

access to any internet resource first

you will navigate to the entra portal

and open protection conditional access

policies next you create a new ca policy

and select users or groups that this

policy would apply to then choose

resources formerly Cloud apps in the

Target resources box and select the all

Internet Resources with global secure

access radio

button and finally under access controls

configure allow access and require a

compliant device R

controls now let's try to access a

generic internet resource such as

main.com we can see that Universal

conditional access will not let us

access bing.com or other Internet

Resources because our device is not

compliant let's fix that and update

device compliance

status access is quickly restored

Universal conditional access ensures

that our users's ability to access the

internet is limited to devices compliant

with company

policy univers continuous access

evaluation or Universal CAE for short

ensures that the state change of the

user identity results in a quick

revalidation of the user's

identity for example if a user's risk

level changes or if the administrator

disables the user account this is

reflected very quickly without the need

to wait for the access token to expire

Universal CAE does not need to be

enabled and will be soon available to

all customers

here we have our end user navigating

Internet Resources now the administrator

revokes the user's tokens Andor disables

user's account you can see that very

quickly the user is prompted to

reauthenticate if the account is

disabled the network access is

interrupted as the user has no way to

such as access terminations being able

to interrupt network connectivity is

very important and Universal CAE helps

accomplish that now back of rank another

unique feature of internet access is the

ability to link conditional access to

your network security policies giving

you a versatile tool that can adjust to

different scenarios you can now control

access to any internet destination by

applying CA controls to your secure web

Gateway policies leveraging the rich

context of conditional

access these policies could be used to

allow access to specific websites for

users or groups based on their role or

to block access to sensitive sites based

on changes in Risk device compliance or

location this provides organizations

with flexibility based on their needs

additionally our solution introduces

compliant Network as a new signal and

restores original Source IP allowing

backward compatibility of CA controls

which Alex will cover in more detail

later Microsoft entra Internet access

gives you complete control over the

enforcement of your network security

policies you can create individual Swig

policies that allow or block specific

web categories or fqdns and prioritize

their order of execution then you can

add your policies to a security profile

that can be linked to a conditional

access policy to bring in that context

awareness security profiles are also

organized with priority ordering

allowing imperative control over which

profiles get precedence when an internet

flow gets mapped to more than one CA

context for example High user risk

security profiles can be ordered at a

higher priority versus user or group

based security

profiles here you can see the network

security capabilities we are delivering

the initial launch of our internet

access solution is just the first step

in our mission to deliver a complete

network security tool set to help

protect your organization currently you

can apply the contextual sophistication

of conditional access to your secure web

Gateway policies like fqdn and web

category filtering in the near future

we're going to deliver more capabilities

such as URL filtering TLS and inspection

and threat intelligence filtering to add

additional protection to your users

Cloud firewall network data loss

prevention intrusion detection and

prevention and antimalware are all on

the road map and will be added

incrementally as we continue to develop

our solution now let's take a look at

how Microsoft entra Internet access can

secure your users with our context aware

secure web Gateway solution in this

example we start with the configured Baseline

Baseline

profile which blocks bad and risky sites

organization you can see the set of

Baseline block destinations includes

illegal software adult peer-to-peer and

download sites with this policy in

effect we can see that a user is blocked

from the peer-to-peer site seedr.cc

a more advanced capability of internet

access is providing a single pane of

Glass by way of entra ID conditional

access policies when a new employee in

the finance department onboards to the

finance or group they're granted access

to all saass and internet sites

necessary to do their job like sap and

other finance and business websites you

can perform this integration with global

secure access by navigating to

group with the internet access Target

resource and using the global secure

access security profile session control

in this conditional access

policy this deep entra ID integration is

even more powerful in the use of user

risk Provisions for instance we can

create a policy blocking storage and

business sites for a user with high user

risk you can see that in conditional

access this policy utilizes the high

user risk condition to assign a security

profile blocking this web category now

when an end user user risk score

increases to high due to suspicious API

traffic for being detected in the MS

graph for example they're now blocked

from accessing

sap.com and now Alex will cover internet

access capabilities for Microsoft

applications thanks Frank we have built

enhance security visibility and

performance capabilities for entra ID

Federated apps and Microsoft

365 with internet access you get fast

and secure access for all internet

traffic including Microsoft 365 most

productivity for any user anywhere we

have deep Integrations with Microsoft

entra ID including capabilities like

Source IP restoration token replay

protection and data exfiltration

controls and you have the flexibility to

deploy these capabilities side by side

with thirdparty network security

solution of your choice let's take a

deeper look into these

capabilities all our features for

Microsoft 365 are rendered in

collocation with the existing front

doors for Services reducing additional

routing hop latency for the top

productivity apps in your Enterprise and

ensuring best-in-class performance for

Microsoft 365 application we also make

it easy to acquire Microsoft 365 traffic

using the Microsoft traffic profile

which is pre-populated with relevant IP

ranges and fqdns enabling you to quickly

direct Microsoft 365 traffic to our

solution with a thirdparty SSE provider

original Source IP is a obscured

resulting in a loss of log Fidelity and

degradation of conditional access and

CAE controls because of our deep

Integrations with entra ID we

proactively restore Source IP providing

backward compatibility for IP location

checks in conditional access Source IP

restoration also helps maintain Fidelity

in Microsoft entra ID signin logs and an

identity protection risk calculation for

user risk and signning risk now let's

get into our enhanced security

capabilities with the rise of identity

and token replay attacks we have

introduced new capabilities to help

protect your organization and ensure

your mobile Workforce is secure we

provide token replay protection with a

new compliant Network check on the

authentication plane for any entra ID

Federated application including Microsoft

Microsoft

365 the compliant Network ensures users

connect from a verified network

connectivity model for The Specific

Enterprise tenant and is compliant with

all the network security policies that

you've enforced this check is similar

yet more powerful than Source IP and is

much easier to manage and maintain

without going through the cumbersome

process of compiling a list of all your

Enterprise Source IPS you can protect

your remote users from your branch

office their home location or any other

network let's pass it over to samita for

a demonstration thanks Alex we can

secure access to any entra ID Federated

application by ensuring that users are

coming from their compliant Network

first the admin will create a

conditional access policy targeting the

users of their choice then targeting an

enter ID Federated app such as Dropbox

next the admin will navigate to the

network tab of the conditional access

policy Builder and require that users

within the tenant are coming from a

compliant Network

location this network tab is a revision

to the design of the conditional access

policy Builder and the admin can

navigate to conditions then to locations

and configure the same controls there in

other words this policy ensures that

users have the global secure access

client installed on their device or that

they are on a global secure access

Branch Network preventing token replay

attacks from malicious

users within the grant controls the

admin can block access to Dropbox if the

user is not coming from a compliant Network

Network

location now we can see that if a user

with out the global secure access client

tries to access Dropbox they are blocked

this is because they fail to prove that

they came from their tenant compliant

Network however with the global secure

access client up and running the user

can successfully access the

application back to Alex thanks samita

another entri ID integration we have is

the ability to enable Universal tenant

restrictions to prevent data

exfiltration by users leveraging foreign

identities to access foreign tenants for

all Microsoft entra identity integrated

resources tenant restrictions version

two provides granular controls for

tenant User Group Microsoft account

identity and application Level internet

access and for tened restrictions

universally so you no longer at need to

manage your local core proxies and

herpin internet traffic let me show you

how this works first let's configure

tenant restriction policies in the

Microsoft entra admin portal navigate to

external identity and then cross tenant

access settings on the default settings

page we will click the edit link under

tenant restriction defaults and change

the policy Behavior to block external

organizations by default then we will

navigate to organizational settings page

and add any organization that we want to

explicitly allow you can do that by

typing in a verified domain name of that

organization or a tenant ID since we

configured our default tenant

restrictions Behavior as denied we will

change the inherit by default tenant

restriction settings for that domain as explicitly

explicitly

allow lastly we need to confirm that

entra internet access is configured to

add tenant restriction signals under

Global Seeker access settings session

Management on the universal tenant

restrictions page now user Alice from

our organization will try to access

SharePoint in an unauthorized tenant

tenant un unversal tenant restrictions

blocks that authentication attempt as we

configure the default policy to block

unknown or unauthorized

tenants now Alice will try different

credentials this time from a tenant that

we have authorized

explicitly Universal tenant restrictions

allows that access and presents the

page granular controls in trv2 policies

and cross-platform Universal enforcement

of these policies with Microsoft entra

and internet access provides

organizations with the ability to reduce

the risk of unauthorized tenants and data

data

exfiltration now let's go over the

visibility and performance benefits of

our solution with Microsoft Internet

access we are introducing Rich logging

and Reporting capabilities our data

sources include metadata from Global

secure access client Network traffic

logs and policy enforcement logs flowing

from our secure service edge activity

logs for Microsoft 365 applications as

well as watch lists from various threat

intelligence systems we securely process

and analyze this data to create

insightful in product reports and

dashboards our Landing dashboard page

provides Rich insights such as

relationship Maps between users device

and endpoints connected through

Microsoft's s solution we also show

cross tenant access taking place in your

Enterprise as well as top Network

destinations in use soon we will bring

various policy recommendations and

insights to you we will also offer

Advanced app and network discovery

capabilities and what if scenario

modeling apart from native reporting we

support extensive capabilities to export

the data to various data syncs

integrated with Azure Monitor and we

have connectors and workbooks for

integration into relevant firstart and

thirdparty seam and thread detection

systems this will facilitate Advanced Ai

and ml-based detections to help with

security investigations and threat

hunting scenarios

Microsoft hyperscale infrastructure runs

across dozens of data centers and

hundreds of edge locations around the

world to ensure your users are always

just milliseconds away from the nearest

secure Edge location this is the same

infrastructure that powers cloud

services like Azure Microsoft 365 Bing

and others this vast wide area network

infrastructure is owned and operated by

Microsoft for exclusive use of services

like Microsoft entra Internet access we

have thousands of fearing relationships

with internet providers and SAS Services

ensuring that your Enterprise gets the

best security with the best performance

we have launched multiple locations

across North America and Europe and will

continue to expand our service to other

regions in addition to Performance we

have built multiple Provisions to

recover from a slim yet non-zero chance

of hardware and software failure a key

provision here is the use of multiple

redundant tunnels enabling seamless

recovery from failures or capacity

spikes Advanced traffic management

algorithms and safe deployment

procedures ensure that Microsoft entra

Internet access is highly available

truly resilient infrastructure service

that your Enterprise can depend on to

learn more and sign up for product

trials please visit these resources and

reach out to your Microsoft account team

Click on any text or timestamp to jump to that moment in the video

Most transcripts ready in under 5 seconds

One-Click Copy125+ LanguagesSearch ContentJump to Timestamps

Paste YouTube URL

Enter any YouTube video link to get the full transcript

Most transcripts ready in under 5 seconds

Get Our Chrome Extension

Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.

Add to Chrome — Free

Works with YouTube, Coursera, Udemy and more educational platforms

Get Instant Transcripts: Just Edit the Domain in Your Address Bar!

YouTube

←

→

↻

https://www.youtube.com/watch?v=UF8uR6Z6KLc

YoutubeToText

←

→

↻

https://youtubetotext.net/watch?v=UF8uR6Z6KLc

YouTube TranscriptPreparing your results…

YouTube Transcript:A closer look at Microsoft Entra Internet Access