Organizations today face many cybersecurity challenges. Increased remote work, greater mobility, and cloud use have made traditional security measures ineffective. MS Entra ID Global Secure Access offers a crucial solution that improves security and allows easy resource access. This Security Service Edge (SSE) solution meets the needs of businesses looking for strong and complete protection in their digital environments.
MS Entra ID Global Secure Access combines security and networking into a straightforward approach. This is important because it helps protect against risks associated with a growing number of remote workers and complex hybrid setups. Organizations can simplify their operations, reduce management costs, and apply consistent policies across their networks by using one security platform. It offers secure access to MS365 apps (Microsoft 365 Access Profile), SaaS, and legacy both in the cloud (Internet Access Profile) and on-premises (Private Access Profile). Features such as CAP, MFA, and centralized identity management ensure authorized users can access sensitive data.
Prerequisites
To use Microsoft Entra Private Access, your organization needs to meet some basic requirements. These may include having the right licenses and security roles in place.
Licensing
- An active MS Entra ID P1/P2 license (I use the P2)
- An active MS Entra Suite for FLW license
Roles
- A Global Admin role to manage the Global Secure Access features
- Conditional Access or Security Admin role to create and manage Conditional Access policies (CA policies)
MS Entra Access Components
MS Entra admin center: Microsoft Entra Admin Center (https://entra.microsoft.com/)is where you can manage user identities and access for all your cloud services.
Global Secure Access connector client: The Global Secure Access client keeps your network traffic safe on your devices by sending secure data to the Global Secure Access cloud while letting other types of data access the network directly. You can install it on Windows, macOS, Android, and iOS devices.
Traffic forwarding profiles: Traffic forwarding profiles in Global Secure Access help you manage and secure your organization’s network traffic. They determine where the traffic goes and how it’s dealt with. There are different profiles for Microsoft traffic, private access, and internet access, each with settings and licensing needs.
Conditional Access policies (CA): Conditional Access policies help organizations manage who gets access to resources based on who you are, what you’re trying to access, and where you’re making the request from. These policies decide which users and devices can get in and might ask for extra steps like two-factor authentication. The process involves collecting session details and ensuring the rules are followed.
Features
Traffic forwarding profiles : By creating profiles, traffic forwarding allows you to manage network traffic through Microsoft Entra Private Access and Internet Access services. When traffic passes through Global Secure Access, it’s checked against the Microsoft access profile, then the Private Access profile, and finally the Internet Access profile. It won’t go through Global Secure Access if it doesn’t match any.
Global Secure Access signaling for Conditional Access: The Global Secure Access (GSA) feature for Conditional Access helps control who can access secure resources across different networks. It makes access decisions based on specific conditions, such as the user’s identity or the status of their device.
| Microsoft traffic profile | Private access profile | Internet access profile |
| Microsoft traffic forwarding profile includes MS Entra ID, Microsoft Graph, SharePoint Online, Exchange Online, and other applications. It manages traffic forwarding policies by workload, such as Exchange Online. You can direct traffic to Global Secure Access or bypass it. Microsoft traffic connects through remote branch offices or the Global Secure Access client. Microsoft Entra ID Global Secure Access is required to manage access and secure connections to cloud and on-premises apps. It assures that authorized users can access sensitive data through CAP and MFA.
Reference: Microsoft traffic forwarding profile |
The Private Access profile is designed to route traffic to your private resources. To set this up, you must configure Quick Access by setting the FQDN and IP addresses of the private applications and resources you want to forward to the service. This traffic can be directed to the service via the Global Secure Access desktop client.
Reference: Private Access traffic forwarding profile
|
The internet access profile directs traffic to the public Internet, including traffic for SaaS applications. This traffic forwarding profile contains a prefilled list of regular expressions for FQDN and public IP addresses.
Reference: Internet Access traffic forwarding profile
|
 |
 |
 |
I hope you found this helpful. In my next posts, I will provide clear, step-by-step guides on how to set it up and use it in different business situations.