0:03 hey everyone in this video I want to
0:05 talk about the Microsoft entra Internet
0:07 access solution I mentioned it in a
0:09 previous video when I talked about the
0:11 security service edge but it was in
0:13 private preview at the time I couldn't
0:15 show a l about it well now time of
0:17 recording its public preview so I can
0:20 finally talk about it so if I think
0:22 about what is this solution actually doing
0:23 doing
0:25 well we have the
0:29 internet and the internet is full of
0:30 wonderful places
0:33 we have all of these great wonderful
0:35 things there to bring us joy and
0:37 happiness and
0:40 productivity but there's also another
0:42 side to the internet there's a side to
0:46 the internet where it's not there are
0:52 these bad sad things decided to bring us
0:55 great misery and sadness and trying and
0:58 trick the users it's all gray and it's
1:02 horrible and so ultimately our goal when
1:04 we think about this solution is okay
1:07 there's the internet what I want to do
1:15 user sitting at their
1:17 machine I want to provide protection
1:20 from that I want to provide protection
1:22 on them clicking a link just looking at
1:25 some website and it goes to a bad site
1:27 maybe it's a fishing email with a link
1:29 hidden in it maybe it's a QR code that
1:33 is tricking them but I want to stop them
1:36 going to these bad sites or maybe it's
1:38 not even a bad site it's from a certain
1:40 corporate machine a certain environment
1:43 I don't want them leveraging or I need
1:46 some control around it because hey we
1:49 educate our users and ideally we would
1:50 protect them in the first place if it's
1:53 email we have Solutions in our email to
1:55 never see those links those QR codes in
1:58 the first place but nothing's perfect
2:01 things do get through and so if we think
2:03 well what is this actual
2:07 solution what we're focusing on here is
2:10 this entra internet access and what it's
2:12 really providing me if I think about the
2:16 all up is it's a secure web Gateway so
2:18 if that is the internet what we're now
2:32 access and the goal would be I'm focused
2:35 on yes I'm focused on the general
2:37 internet so just
2:41 general sites but it might also be those
2:45 sites that are for example SAS
2:55 Federated remember our
2:59 key goal if possible is if we think well
3:02 I have my
3:05 entra tenant so we've got our
3:24 it it's using our ENT tenant for its
3:28 authentication it then becomes a known
3:30 application to ENT I can then apply very
3:32 very granular conditional access
3:34 policies to it so this is my preference
3:35 but maybe I I can't do that maybe it
3:37 doesn't Federate maybe I didn't want to
3:40 for some reason and so now I can think
3:42 about well it's just general internet
3:45 sites it's non-federated SAS and I want
3:49 to provide protection for them so now
3:53 that that path for the client would be
3:56 well instead of the path going hey
3:59 directly out to the internet well now
4:01 now what's going to happen is that path
4:05 is going to go to this Edge and then go
4:09 through and at this Edge it's supposed
4:11 to be a magnifying glass I can't really
4:13 draw but the edge we can make decisions
4:17 on do we allow it or do we block that
4:20 traffic so this is what it's going to
4:23 provide anything on the client doesn't
4:24 have to be the web browser anything that
4:26 wants to talk to the internet is
4:29 actually going to go to the entra edge
4:30 it will be in inspected based on rules
4:33 we're going to create which will control
4:35 if it's allowed or blocked so this is
4:38 the whole point of the solution now I do
4:39 want to stress I'm talking about the
4:41 Microsoft entra Internet access there is
4:44 a separate set of Technologies leveraged
4:48 for Microsoft 365 traffic Microsoft 365
4:50 has its own capabilities and there are
4:53 some extra special things built into
4:56 entra around controlling that they can
4:58 go into detail about hey stopping data
5:00 exfiltration and a whole set of other
5:02 things so I'm not talking about that I'm
5:05 going to talk about just the basic entra
5:08 internet access solution
5:12 today okay so how do I actually get
5:15 going with this
5:17 solution as I talked about it's going to
5:20 now send that traffic over here to that
5:22 enter enter
5:25 Edge and I can think of I'm going to
5:29 create these rules that will allow me to
5:31 Maybe group based on a category so
5:32 there's going to be a lot of well-known
5:34 categories built in there's going to be
5:36 fully qualified domain names I can
5:38 leverage and there's other things coming
5:40 on the road map and what I want to do is
5:43 really talk about these whole set of
5:46 capabilities in a lot more
5:48 detail so what's the step
5:52 one step one is well I need the
5:55 client to know hey internet traffic I
5:58 want to send it to this entra Internet
6:00 access Edge
6:03 solution so we have to get the client so
6:05 step one is to go ahead and install the
6:07 client so if we jump over to the portal
6:13 second now I'm using the entra
6:17 portal so it's that entra
6:19 microsoft.com and I'm going down to my
6:23 Global secure access
6:27 area and then from here I'm going to my
6:34 download and it's going to show me the
6:38 client now notice there are Android and
6:41 iOS and other things are coming out
6:44 today at time of recording the internet
6:47 access does not work for the iOS the
6:48 Android it's really focused on that
6:50 Windows client so I would go ahead and
6:53 download this client now once I've
6:55 download to the client I go ahead and
6:57 install that client and I install the
7:00 client using all of the regular me
7:03 I could install the client using Group
7:06 Policy I could install it using in chune
7:08 I could absolutely just manually install
7:10 it obviously that's not scalable I'm
7:13 going to install this GSA
7:15 client and when I install the gsse
7:18 client all I'll really see initially is just
7:24 this little icon so I'll see it in the
7:28 corner my GSA client it will be sitting
7:34 okay great so the client is installed
7:37 now what now one thing you will ask is
7:40 well how does it update today it doesn't
7:43 automatically update I would need to go
7:45 and get the new version and deploy it
7:46 with the updated in tune or the group
7:49 policy that will change in the future so
7:51 that whole update
7:54 experience is there's a road map
7:55 obviously I don't ever talk about future
7:57 things but that whole experience will
8:01 change very much and this client
8:05 authenticates so this client will now go
8:07 as part of my identity I choose who I
8:10 want to authenticate it as so the client will
8:19 now go to entra and it's hey I need to
8:21 authenticate and just like everything
8:24 else it's going to generate me the
8:28 token my access token that it will send back
8:30 back
8:32 because all of the interactions with
8:33 that edge are always going to be
8:36 authenticated you think zero trust and
8:38 verify explicitly it's constantly going
8:40 to be using this as part of that
8:42 authentication to prove yes I am who I
8:44 say I am and as we're going to see it's
8:47 used for some other things as well but
8:49 it has that
8:51 authentication and if we just go and
8:52 look super super quickly so let's just
8:54 jump over for a
8:57 second so this is a machine and let me
8:59 just turn off my little logo
9:01 for a second so you can actually see all
9:04 the detail so down here in the bottom of the
9:05 the
9:09 screen there's its icon that is the
9:11 global secure access client now if I was
9:17 it it shows me some basic
9:19 status of that
9:21 client it's actually doing something
9:24 weird it's not overlaying properly but I
9:26 can see it's the M365 connected private
9:28 connected Internet connected and the version
9:30 version
9:33 and likewise if I let's close that I can
9:36 select Advanced Diagnostics and also I
9:39 guess while I was there if we right
9:42 click we do see hey I could log out and
9:44 log in as a different user we can pause
9:46 resume restart collect logs for
9:49 troubleshooting purposes then we have
9:50 this Advanced Diagnostics and it's the
9:52 Advanced Diagnostics that I've launched
9:55 over here like on back on so I don't
9:59 forget and we can see basic information
10:01 so I can see details about the
10:04 forwarding profile my client version and
10:06 at this point I'm going to go into more
10:08 detail about this but we have the health
10:10 check so if you're ever experiencing a
10:11 problem it's nice to go through the
10:14 health check and it's showing all of the
10:16 different steps that it has to go
10:18 through checking hey the edges are
10:21 reachable proxy everything is looking
10:24 good on this particular box so at this
10:27 point hey everything is looking good on my
10:27 my
10:29 client okay
10:32 perfect so how do I actually start
10:34 leveraging the
10:37 technology because that's just the base
10:40 component is there on the OS so that now
10:43 when I do a few other things instead of
10:46 my internet traffic going directly here
10:48 it's going to follow this path I don't
10:49 want it going and talking directly to the
10:50 the Internet
10:52 Internet
10:55 so the first real step of the
10:56 configuration actually just give
10:59 ourselves a lot of space to let's move
11:02 all the way over here so we're doing a
11:03 whole bunch of configuration right now
11:05 in the entry side and then ultimately at
11:08 the end you'll see hey it just all comes
11:10 together for the client
11:12 experience so the first thing I have to
11:15 do is say well I want to enable that GSA
11:16 client because the GSA client is also
11:18 used for things like the Microsoft entry
11:21 private access it replaces the Azure ad
11:23 at proxy client and it's used for the
11:25 internet access so it's this single
11:27 client so I have to tell it which bits
11:29 of functionality do I want want it to be
11:33 enabled for and so I'm going to say hey
11:36 of all the different
11:40 features I'm going to say yep I want to use
11:41 use
11:50 internet access so that's my step one I
11:53 have to tell the client yes you are
11:56 going to do internet access so if we go
12:00 and look in our configuration
12:02 because there all these different
12:05 areas if we look at our traffic
12:08 forwarding rule so I'm in that connect traffic
12:09 traffic
12:12 forwarding I tell it which profiles I'm
12:15 enabling so this is I've enabled the
12:18 internet access profile and you can see
12:21 it says hey it's all traffic except Microsoft
12:24 Microsoft
12:28 365 so this is that big first step to
12:30 start the
12:32 configuration and that is now on the
12:35 client remember that GSA client if I go
12:37 and look at the GSA client what that has
12:39 been responsible for is I have
12:42 forwarding profiles this tells it which
12:45 traffic goes where and we can see well
12:47 great there's those Microsoft 365
12:50 private access and internet access now
12:52 this is in public preview so I'm just
12:55 going to caveat what you're about to see
12:57 but it tells hey look certain traffic
13:00 bypass obviously it doesn't want to send
13:02 traffic to its own
13:05 Edge via the edge it would get stuck so
13:07 it's like don't don't send it to the
13:09 edge but everything else is going to
13:12 Tunnel now it's got some entries in here
13:14 I think for testing purposes
13:16 fundamentally but this one is the most
13:19 interesting to me good old
13:23 Rex so this is the primary rule that is
13:27 telling which traffic is tunneled so
13:30 today we can see it is is DNS based
13:33 again it's public preview my
13:35 understanding is IP rules will come as
13:38 well so I won't bypass it by doing a an
13:40 NS lookup and then just typing in an IP
13:42 today it's focused on that DNS name and
13:46 I can see it and I can only assume
13:49 someone in the UK does some testing and
13:51 they really should be being obviously
13:52 but you get the
13:54 idea um it's now configured this forwarding
13:56 forwarding
13:59 profile that is telling it well which
14:01 traffic should be sent to that edge and
14:03 that's the important point now I cannot
14:06 change that that is part of the
14:08 configuration I do not set what I want
14:12 to send to that edge that's just part of
14:13 uh the core
14:16 capability so that's telling it now hey
14:18 the traffic I need to
14:21 send to the tunnel it's establishing
14:22 it's totally invisible to the client so
14:25 it's that layer 7 htttp
14:28 https you're going to go and redirect
14:30 and I do want to really stress a point
14:34 here this is not a browser
14:36 extension this is everything in the
14:39 network stack on that machine so it
14:42 could be a program yes it could be stuff
14:44 I'm looking at the browser but it is at
14:47 the Machine level now anything internet
14:49 based instead of going that way is going
14:52 to go to our entra internet ACC access
14:54 Edge so it's really important to
14:55 understand that fact this is not just
14:56 hey when I'm surfing the web on a
15:00 browser it really is everything that I'm
15:02 going to do okay
15:04 perfect so
15:07 now I have to start
15:10 defining what are the things I want to
15:13 allow or I want to block I need to go
15:15 into those details and so the default is
15:18 it's just allowing the traffic so I need
15:21 to go in and create logical groupings
15:23 and if I think about it there's going to
15:25 be many different scenarios I'm going to
15:27 have where I want the same group of
15:29 sites so the first thing we do is we
15:32 create web filtering policies so I'm
15:34 going to start on this end and try and
15:36 give myself as much space as
15:39 possible so my step one well that I
15:53 policies now these web filtering
15:56 policies has come over here are really
15:58 just focused on I'm creating those
16:01 logical groupings of
16:04 categories and or fully qualified domain
16:07 names so I would think about okay well
16:08 I'm going to create a new web filtering
16:17 social and for each of these groups of
16:20 web filtering policies I specify a
16:23 certain action that I'm going to do so
16:31 block and then inside that I say hey
16:32 well I'm
16:35 including um category
16:40 X category y I'm including a certain
16:43 fully qualified domain name could have
16:45 some World cards in there whatever I
16:48 want then I'm going to do uh another
16:50 policy I'll create another policy called uh
16:52 uh
16:55 work and maybe for the work these this is
16:56 is
16:59 allow I'm specifying sites I want to
17:02 allow so that may have a different
17:05 category it's going to have its fully
17:07 qualified domain names and you get the
17:09 idea I kind of go on and on and then I
17:11 would create another
17:14 one just call this one group maybe this
17:16 one is
17:19 block and then all of its
17:22 rules so I'm going and creating these
17:24 logical groupings that I'm going to want
17:26 to use later on so let's go and look at the
17:27 the portal
17:29 portal
17:31 so I go and look at my
17:34 secure and I can see under here web
17:38 content filtering policies so I select
17:40 this now I've created some already you
17:42 can see within them there's a certain
17:44 number of
17:47 rules so if I was to look at stop social
17:49 and entertainment for example you can
17:53 see my action is to block so I only can
17:55 have one action could be allow or
17:58 block and what I'm doing here is well
18:01 it's web categories so I'm blocking
18:05 social networking games and sports and
18:07 then I'm also added one that selects
18:08 gambling so I can select multiple
18:10 categories in one rule let's just create
18:12 a new
18:16 one and just call it test oh if I can
18:18 type the letters right call it test and
18:20 again I select is it allow or block then
18:23 in my policy rules I can add multiple
18:26 rules so I'm going to add a rule we'll
18:28 call this just again you would get this
18:30 very logical useful names not what I'm
18:32 doing but I can select web categories I
18:35 think there's currently 76 web
18:37 categories so hacking hate and
18:40 intolerance illegal drugs illegal
18:45 software violence image sharing Finance
18:46 you would select the one so I could
18:48 select multiple things in here I'm just
18:50 randomly selecting them whatever that is
18:53 Click add I could go and add some more
18:55 rules so I could say category Y and
18:58 again I want useful names really but
19:00 I'll just select some other
19:03 things I could also add in fully
19:05 qualified domain names and I can use
19:08 wild cards so I could say well star.
19:12 saav tech.com that's never any
19:14 good so I could put that in as well if I wanted
19:16 wanted
19:19 to you just add so it's just I'm
19:21 creating a really logical grouping that
19:23 I'm going to want to use again I've
19:25 already created these so I've got other
19:28 ones that blocks YouTube now YouTube has
19:30 youtube.com then there's studio and
19:32 YouTube Works a little bit funny so you
19:34 can see I added two fully qualified
19:36 domain names I added star. youtube.com and
19:38 and
19:40 youtube.com I've got another one that
19:42 allows so I created one that allows
19:45 specifically LinkedIn so anything
19:49 linkedin.com I'm allowing but I'm just
19:52 going through no Sav tech.net
20:00 have the wild cards I have all these different
20:01 different
20:03 combinations but I'm going to end up
20:05 with these logical groupings so I've got
20:07 these four logical grouping some of them
20:10 are allow some of them are block and I
20:14 can see all of that detail right here so
20:18 these are just units of logical grouping
20:21 that I'm now going to be able to use
20:23 elsewhere okay now I want to start
20:26 thinking about let's combine those into
20:29 a certain profile that I actually want
20:30 to leverage and apply to different
20:33 groups of users so great we've created
20:36 the web filtering policy now I need to
20:39 do is create those security profiles so
20:42 now we'll go ahead and create our make
20:48 space security
20:55 profiles now once again they have a name
20:57 so I'm going to add a security profile
21:00 and again give it a useful name I'm just
21:08 here I give it a priority so we have to
21:10 track this a little bit and makeing more
21:12 sense when I show it to you but the
21:14 profile has a priority so this profile
21:18 I'm going to say has a priority of
21:23 110 and then I just link these web
21:25 filtering policies to it these were
21:28 defined as their own objects I'm going
21:31 to use them into a profile so I'm going
21:33 to say well the work one I'm going to
21:40 in and I give it a priority so this is
21:42 its relative priority within this
21:45 profile so this one has a priority of
21:54 one and that one give it a priority of
21:57 200 um now I'll create another one I'll
21:59 create a
22:03 profile two I'll give this one a
22:05 priority of
22:08 200 and once again I'll I'll add some
22:12 I'll actually add this one in to here as
22:15 well I give that a priority of
22:19 100 um and also I'll add this one in
22:20 actually I just got to leave that one as it
22:21 it
22:24 is there's also a special
22:28 priority so I'm going to give a create a
22:30 profile just called General it could be
22:33 all I'm going to give this one a
22:40 65,000 and I'm going to add this one
22:43 in and I give that priority of 100 doesn't
22:45 doesn't
22:48 matter this is special this one would
22:50 apply to all internet traffic whether
22:54 this profile is used as part of uh a
22:55 conditional access policy which we're
22:56 going to see in a second how we assign
23:00 these or not if if I give this 6500 I
23:02 can only have one because the priorities
23:04 of each of these security profiles has
23:07 to be unique which is going to make
23:10 sense this one is general and applies to
23:13 everything now the reason we have
23:15 priorities within the profile we're
23:18 linking these is what if they conflicted
23:21 so for example this one allows let's say
23:22 fully qualified domain named
23:25 linkedin.com well this category here may
23:28 be was social which blocked it
23:30 so if I just applied them and they had
23:32 equal weight what does it do with
23:36 LinkedIn so by having a priority with in
23:39 the profile well this is a higher
23:41 priority so allowing LinkedIn comes
23:43 first and even though LinkedIn is then
23:46 blocked by social it's a lower priority
23:49 the one that allows it so it would have
23:52 the access and be allowed so that's why
23:53 we have the priorities and it makes
23:56 total sense we have groups of block and
23:59 allow well how should that
24:02 work then you can imagine scenarios will
24:06 occur where as a user there's going to
24:07 be multiple conditional access policies
24:10 apply to me I may have multiple profiles
24:13 applying to me well then what if the
24:16 profiles conflicted that's why the
24:19 profiles have a priority so again take
24:22 this scenario social was blocked
24:25 completely in this profile in this
24:27 profile social war was blocked but it allowed
24:28 allowed
24:32 LinkedIn well this profile has a higher
24:36 priority than this profile which means
24:39 hey LinkedIn is still going to work
24:41 because the profile is higher than this
24:43 one that's why there's those two
24:46 sets within it it's just relative to
24:48 each other the profiles is hey if
24:51 there's a conflict between those so
24:53 let's go and see that and I think it
24:55 will make a lot more sense so we had the
24:58 web content filtering policies great
25:01 now we use them in a security
25:03 profile so I could just go ahead and create
25:05 create
25:07 one um
25:10 test enabled so I enable it and I have
25:13 to have a priority this has to be unique
25:15 I cannot have the same priority as one
25:17 I've used already so we can see here
25:21 I've got priorities 110 200 and
25:24 6500 so if I try and create a profile if
25:26 I select 110
25:28 110
25:32 if I actually went through I need test
25:33 it won't ultimately let me I don't know
25:35 when it does the check but it wouldn't
25:40 let me actually create it so
25:42 error profile with the same priority 110
25:45 already exists so it has to be unique
25:47 which makes sense I would not start at
25:49 one because what if something comes
25:51 along in the future that you need so I
25:54 like groups of like big gaps of 100s you
25:58 have a a huge 65,000 to play with notice
26:01 if I hover over the eye it's telling me
26:04 a special one if you use
26:08 6500 applies to all traffic it does not
26:10 need to be linked to a conditional
26:14 access policy so that 6500 is a special
26:16 one let's just say I'm going to say this
26:18 is 500 I'm not going to use this one
26:20 anyway and now I just go and Link the
26:23 policies so I can use an existing policy
26:25 I'll select it from the groups that I
26:28 have created
26:30 so I say hey block YouTube I remember
26:32 I'm giving it a relative priority within
26:38 the profile so maybe this one is
26:42 300 I could then add another
26:46 one that may be um allow LinkedIn I mean
26:47 obviously it's not conflicting but I'll
26:51 give that 100 so I'm creating that
26:54 relative priority within the profile so
26:56 that's the whole point of these and so
26:59 in my case
27:02 if we look at what I did my highest
27:05 priority let just expand all of these
27:08 out my highest
27:10 priority of
27:14 110 has three of those web filtering
27:17 policies in it the highest priority is
27:21 allow LinkedIn priority 100 the next is
27:24 stop social which would block LinkedIn
27:27 because it's that social category but a
27:31 higher R within there allows it and then
27:33 I'm blocking
27:36 YouTube then I have another security
27:39 profile that just stops the
27:44 social but notice its priority of 200 is
27:47 less than this one that is 110 so if
27:50 they ever conflicted I'd still be able
27:53 to get allow Linked In if they apply to
27:56 the same user and then I've got this
27:59 6500 that will apply to everyone and we
28:01 want to block that trash Sav tech.net no
28:05 one should look at that ever so you can
28:07 see how those things are really all
28:10 coming together to give those
28:13 protections so that that's the point of
28:16 how really it just all comes together to
28:18 give that solution so great now we've
28:21 got profiles that actually include them
28:29 fantastic I need to use them so the last
28:32 step as applies to nearly everything
28:35 when I ever think of entra conditional
28:45 create conditional access
28:47 policies so I'll create a conditional access
28:53 one I apply I have a certain Target it
28:55 could be a user I'll say it's applying
28:59 to user group one as well and be very
29:02 lazy and then what what is it targeting
29:05 is it an application well it's targeting
29:08 the global secure access and it's targeting
29:15 internet and then because it's using GSA
29:17 and internet I have to specify well
29:26 profile I'll use this one
29:28 one
29:31 now I can only have one this is not a I
29:33 can specify mul profiles each
29:37 conditional access can use one profile
29:38 and remember we have the allow the
29:41 action we're going to
29:44 allow this is a very important point you
29:45 might think oh well most of these are
29:47 blocking I should set the conditional
29:51 access to block no the web filtering
29:54 policy takes care of the action The Edge
29:58 should do to the traffic if I say block
30:00 for remember internet access it's just
30:02 going to block access to the internet
30:04 completely like for the whole machine
30:06 never to use block I wouldn't even
30:10 really use things like uh require MFA
30:12 because again it's at the Machine level
30:16 those policies apply all up top level
30:19 internet not to the sites within this
30:21 policy so if I was to set this to
30:23 require MFA as soon as the client tried
30:24 to authenticate the first thing that
30:26 tries to talk to the internet it would
30:29 do MFA then so really my profile is just
30:32 going to say allow action and then I
30:34 could have another
30:36 policy condition access 2 maybe it
30:39 targets a different group group two once
30:42 again it's GSA it's
30:45 internet my
30:48 profile be this
30:52 one okay it's always one one to one and
31:06 do not link you don't need to it applies
31:09 to everything the 6500 is special it's
31:12 always going to apply that's really the
31:15 the the key point in all of this so
31:17 let's show this as
31:20 well so great I've got my security
31:23 profiles now I would just go to my
31:26 regular conditional access create a new policy
31:27 policy
31:29 Target whatever users and groups you
31:33 would normally do but when I do Target
31:37 resources I'm targeting Global secure
31:40 access specifically I'm going to Target
31:45 internet and then the only thing I now
31:53 session I have to check down here on the
31:57 bottom use Global secure access let's
31:59 get rid of my little icon again it's
32:09 profile so I would select which one
32:12 remember I can only select one so maybe
32:14 I would select how social entertainment
32:18 profile stop so i' select that one and
32:20 now that is
32:23 configured right there and those are the
32:25 steps that that's really all I have to
32:26 do now what I was talking I probably
32:28 enforce the policy to on now normally
32:30 obviously Group Policy we always do
32:33 report only first um for this for the
32:35 testing I I'm going to set these to on
32:38 to actually apply these to the checks my
32:41 grant is just grant
32:45 access once again if I select block and
32:47 maybe at the end I'll show it just to
32:51 frustrate myself it just blocks internet
32:53 it is not blocking the sites you don't
32:55 want that you need to Grant the access
32:57 the web filtering policies linked from
32:59 the security profile will take care of
33:02 allowing or denying the sites this
33:04 action right here is about internet
33:07 access so again if I was to select MFA
33:08 even it's just going to make me prompt
33:11 for MFA at the start of the first thing
33:12 that talks to the Internet it's not
33:15 about the site specifically today that
33:18 may change in the future but for now you
33:21 want to just grant
33:25 access so for me I have created a policy already
33:28 already
33:30 honestly it's very slow this morning
33:33 it's early on a Sunday waking up all
33:38 right so I created internet access for
33:41 John it's just
33:43 me it's internet
33:46 traffic and all I've
33:48 done is selected that social and
33:52 entertainment profile now just to remind
33:58 us the social and entertainment profile
34:02 was allowing LinkedIn stopping Social
34:04 stopping YouTube and then remember we
34:06 have that default for all that would
34:08 stop Sav tech.net
34:11 so those are the rules so I'm blocking
34:13 social blocking entertainment I'm blocking
34:15 blocking
34:18 gambling we can see all of
34:21 those in here my
34:24 rules social games Sports gambling are
34:27 all blocked as part of those rules so
34:30 those things should all be impacting
34:35 me when I now try to do the things so
34:37 great I have created now those
34:40 conditional access
34:42 policies so how does this all come
34:45 together this is I guess the cool
34:54 before the client authenticates and it
34:55 gets this
34:59 token as part of that token each of
35:02 these has uh an ID has a security profile
35:04 profile
35:06 identifier so what's now going to happen
35:08 is when this does this authentication
35:11 and when it goes and gets that
35:15 token that is now updated the token gets
35:19 the security profiles IDs added to it
35:21 that are being applied so that profile
35:25 one this token was actually happening here
35:27 here
35:31 is what color should I use use this this
35:37 one is getting
35:40 added to my
35:42 token and obviously there were multiple
35:44 conditional access policies that applied
35:46 each with their own then there could be
35:49 a list of these added to my token so now
35:52 this client it's token has the security
35:58 profile IDs as entries in its token and
35:59 that's so it's got these claims for the
36:02 security profile ID that's that's the
36:04 huge part here so now what's actually
36:07 happening when this client gets
36:10 redirected to that Enterprise
36:18 token gets sent along with it so now
36:21 that entra internet access again I think
36:23 this is really
36:26 Edge when I talked about this magnifying
36:28 glass allowing or denying what it's
36:31 looking at are the IDS cuz remember it's
36:32 got this like
36:36 id1 it's looking at okay well what are
36:44 token that controls the traffic that's
36:46 going to control is it allowed or not
36:49 and that's really the the key point of
36:50 how this is
36:54 working follow the structure through we
36:56 created web filtering policies which are
36:58 logic IAL groupings of categories or
37:00 fully qualified domain names that we may
37:03 want to use maybe multiple times
37:05 different places we put those into
37:07 security profiles they have their own
37:09 priority within the within it in case
37:12 they conflict and what should win then
37:14 the profiles themselves have a unique
37:16 priority because what if I get multiple
37:18 profiles which one should win and then
37:21 ultimately we apply them by linking a
37:23 profile to a conditional access policy
37:26 just like we always do and then that
37:30 gets popular at as a claim in the
37:34 token and then that constantly verifying
37:35 now because it is an access
37:39 token it's good for an hour so if I was
37:41 to create a new conditional access
37:44 policy or I Chang the conditional access
37:47 policy to point to a different profile
37:50 it could take up to an hour to be seen
37:52 because the access token is good for an
37:55 hour now if I was to
37:57 change it's not good
37:59 if I was to
38:03 change what was linked in the profile
38:06 that just requires propagation through
38:08 the global entra maybe that's 5 minutes
38:11 so I can change these things but if I
38:13 actually create a new conditional access
38:16 or I changed the profile well remember
38:19 it's the profile that gets linked in as
38:22 a claim in my token I have to let that
38:25 expire so that could be up to an hour if
38:27 I create a new conditional access or I
38:29 changed the profile it links to so
38:31 that's that that's the timing involved
38:33 in that whole
38:34 process so
38:38 then does it work uh so let's try it so
38:41 if we jump over and we hope it does work
38:43 this will be a terrible terrible demo so
38:45 if I go to my
38:48 machine so now let let's think about
38:51 what we did so I'll open up the
38:55 browser so I blocked YouTube so youtube.com
39:00 can't reach
39:04 it nope and just to prove internet is
39:07 working if I go to Sav tech.com
39:11 that works fine what about Studio
39:14 remember we did the Wild
39:17 Card NOP can't reach it what about
39:21 Twitter remember we had the social
39:24 twitter.com nope can't reach it what
39:26 about LinkedIn remember we had that
39:29 allow R which was a higher
39:33 priority LinkedIn we can get to
39:34 to
39:38 awesome what about uh a gambling site
39:39 now I actually have to look this up
39:40 because I
39:43 don't know a lot of gambling sites so if
39:50 site can't get to it now you will notice
39:51 this one said denied whereas the others
39:53 it couldn't get to this was because this
39:54 was just a
39:58 HTTP I not secure so it can return a
40:00 different response if it's https it's
40:02 just like hey you can't get to it and
40:05 the same would apply if I do www.avc.edu
40:13 rule that's just HTTP it can just say
40:22 https then we'll see H can't reach the
40:25 page so you will today see a different response
40:27 response
40:31 on if it is https or htttp because it
40:35 impacts what it's allowed to do but you
40:37 I mean that that's it you see the client
40:41 experience it's totally seamless it just works
40:43 works
40:47 now what about if things uh are not
40:49 quite right if it's not working maybe as
40:52 you would expect so this agent remember
40:54 I P up the advanced host name
40:57 acquisition I could say St start
40:59 collecting and what this is going to do
41:04 it's going to focus on the idea of well
41:07 what are the host names what's the DNS
41:09 that's being acquired when I'm trying to
41:12 do things so if I did the S tech.net
41:18 again and also let's try uh Twitter
41:20 again and and then we'll do one that
41:28 okay I could do stop so we can see hey yeah
41:30 yeah
41:32 look I can see the things it was trying
41:36 to do so I can get an idea of the
41:41 actual um responses and if it was truly
41:43 going through the the DNS I can also
41:46 look at the traffic so we'll start that
41:49 as well just go back to this page
41:57 twitter.com nope let's try the linkedin.com
42:03 yep and now we see a whole
42:06 bunch of connections we saw it hey it's
42:08 going to the edge so I can get all of
42:10 that detail of things that it's doing in the
42:11 the
42:13 background so I can see everything it's
42:15 trying to do if it's closed if it's
42:22 here so it's just a great way to see
42:24 everything that is happening on the
42:27 machine so the this is super useful if
42:30 things don't work as you're
42:32 expecting now the other
42:35 thing I want I guess I did say okay so
42:38 while we're over here this is going to
42:40 break my environment but so you don't
42:41 break your
42:44 own if I go to my
42:48 policy internet access for John I'll
42:54 block and again we have to give it a few
42:55 minutes to propagate out through the intern
42:56 intern
42:58 while we're doing that the other thing
43:00 we have available to us in the global secure
43:02 secure access
43:04 access
43:07 is we have monitor we have audit logs
43:08 but I'm going to focus on these traffic
43:15 logs I can see the traffic across the
43:17 different types so internet private access
43:18 access
43:21 M365 so I'm going to focus on my internet
43:23 internet
43:26 access from here I I can see a whole
43:28 bunch of communications to different
43:30 things but I could add a filter where
43:33 the action is
43:36 block and I can see all of that
43:39 detail yep the sports the gambling
43:43 site Facebook got blocked Sav tech.net
43:46 got blocked YouTube got
43:49 blocked so it's got this really nice set of
43:50 of
43:53 capabilities that I can go back and see
43:55 all of the detail and there's a little
43:57 bit of a delay so it's not going to show
43:59 up out here instantly in my playing
44:02 around I've seen it take maybe 15
44:04 minutes to show up again it's public
44:06 preview at time recording that could
44:08 absolutely change but there there is a
44:11 little bit of a delay but then I can go
44:13 and see all of that
44:15 detail so let's see I don't know if it's
44:17 been long enough let's see if I can
44:21 break my machine so what I would now
44:24 do I say log in as a different user so
44:27 it's signing me out
44:29 remember I applied that block policy
44:32 which remember is not just the sites
44:36 it's everything now internet traffic on
44:39 the machine so when it re
44:41 authenticates it's now going to go and
44:42 get a new access token and when I get
44:45 the access token that's when it's going
44:47 to tell me so I have to sign in again
44:52 out so I
44:56 have strong wols enabled I can't get
44:59 access so your signning was
45:02 successful but now I can't do anything
45:03 I'm I'm basically blocked out of
45:06 Internet so I can't even finish the sign in
45:08 in
45:10 anymore and it's going to get stuck
45:12 because I've essentially wiped out
45:15 internet on my machine so I would now
45:19 hastily uh come back to here change that
45:21 conditional access to one that isn't
45:22 junk and I would see the same if I did
45:25 MFA it would require it for basically
45:26 that client is this the first thing that
45:28 will get impacted when it gets the new access
45:29 access token
45:30 token
45:33 so it it wouldn't be that useful I
45:36 really think of the conditional access
45:39 its use and its power is to apply the
45:47 apply the security profiles I'm defining
45:50 I'm not using these to try and then do
45:54 additional MFA or block the block is in
45:56 the web filtering policy see so this
45:58 should just be allow that really is a
46:02 key Point make sure I'm doing allow in
46:04 these anything else is not that useful
46:06 obviously I can use it for the
46:08 granularity of which sites apply to
46:10 which groups maybe I get different rules
46:13 based on the device as well I might even
46:15 have different sites based on risk I'm
46:17 detecting all of that
46:21 applies but just the action it's no good
46:23 trying to do block or even MFA is not
46:25 particularly useful here because it's
46:28 applying to the all
46:31 up your connection to the
46:34 internet not the granular rules in the
46:36 claims so if I do block I just block it
46:40 getting into the internet which is a sad
46:42 day for this poor person that have a big frowny
46:44 frowny
46:47 face that's it so I hope this was useful
46:49 I hope it really makes it clear what's going
46:50 going
46:53 on I showed a lot of things I maybe
46:55 talked a lot about it but it's actually
46:58 pretty logical and simple hey create the
47:00 web filtering policies which are the the
47:02 categories and the fully qualified
47:04 domain names that make up a logical
47:05 grouping of
47:10 sites I can then use n number of those
47:13 in a security profile which is a certain
47:14 profile that I'm going to want to apply
47:18 to populations based on certain criteria
47:20 again those had a allow block they have
47:22 priorities for when there's going to be
47:25 those conflicts which should win out and
47:26 then hey I'm going to take those
47:28 profiles and apply them to those groups
47:31 of the population with all the normal
47:34 conditional access targeting groups
47:37 client device location risk all of those
47:39 apply it's just we make sure the action
47:42 is allow it's the policy that takes care
47:45 of if the site allowed or blocked that's
47:48 the key point and then it it would just
47:50 take effect and you saw how simple it
47:53 was I'm protecting the user doesn't
47:56 matter where the user is it could be
47:58 anywhere it's protecting them from those
48:01 bad things my policy hey can let it
48:04 through or it can block it um and that's
48:07 a solution I have no pricing information
48:09 at this time that will get released at
48:11 GA so there's no comment on that the
48:13 only thing I know is the internet access for
48:14 for
48:17 M365 that's just part of I think it's
48:19 the E3 license but again you should
48:22 validate that so that was it as always I
48:24 hope this was useful and I hope I can
48:26 now log into my client now said back to
