Brief Summary
This video is part of the Microsoft Entra Suite summer camp series and focuses on how the Microsoft Entra Suite enables secure access to private resources without relying on legacy VPNs. It features a demo where Violet, a finance manager at Woodgrove Bank, securely accesses sensitive financial applications in a hybrid environment. The video also covers how administrators can set up secure access to on-premises applications using Microsoft Entra global secure access, replace legacy VPNs with identity-centric ZTNA, and gain granular visibility into private applications. The session concludes with a Q&A addressing the benefits of unified identity and network access, the role of conditional access, and strategies for migrating from legacy VPNs.
- The Microsoft Entra Suite provides a unified platform for securing identity and network access, reducing complexity and improving security.
- Conditional access is a core component, enabling granular control over who can access specific applications based on identity, device compliance, and real-time risk.
- Organizations can transition from legacy VPNs to a Zero Trust Network Access (ZTNA) approach using Microsoft Entra Private Access, with options for phased migration and coexistence with existing security solutions.
Introduction to Microsoft Entra Suite and Secure Access
Laura Veno introduces the session as part of the Microsoft Entra Suite summer camp, highlighting the week's focus on webinars covering the Microsoft Entra Suite. The session will demonstrate how Violet, a finance manager, can securely access private resources without a legacy VPN. The Microsoft Entra Suite is presented as a comprehensive zero-trust access solution that allows workforces to securely connect to any cloud or on-premises app, resource, or AI within their corporate network or from the open internet. The suite includes Private Access (zero-trust network access), Internet Access (identity-centric secure web gateway), ID Governance, ID Protection (machine learning-based identity threat protection), and Verified ID (privacy-respecting identity verification).
The Need for a Modern Approach to Network Security
Abdi Sabati discusses the increasing complexity of IT environments, which include cloud-native and on-premises apps, a growing number of identities and endpoints, and users connecting remotely or locally. He notes that many organizations still rely on fragmented identity and network security tools, manual provisioning, and legacy VPNs, which is inefficient and risky. Abdi emphasizes the need for a new approach that simplifies and unifies technologies, enables seamless collaboration, adapts in real-time, scales effortlessly, and delivers secure, frictionless access. The Microsoft Entra Suite is designed to meet these needs by unifying signals across identity, endpoint, and network, providing a single control plane to manage access to both private and internet apps.
Demo: Secure Access to Financial Resources with Microsoft Entra
Abdi demonstrates how Violet can securely access a financial dashboard hosted on Woodgrove Bank's Windows server without using a VPN. Violet uses the remote desktop app on her company-managed device, which runs the global secure access client, enabling zero-trust network access through Microsoft's security service solution. She is prompted to sign in to global secure access before establishing a connection. Due to Woodgrove's policy enforcing just-in-time privileged access, her initial request is denied, and she is required to elevate her access through the privilege identity management (PIM) dashboard. Violet logs into the Microsoft intra admin center portal, activates her PIM role, granting her elevated access for 8 hours as defined in the conditional access policy. She is then prompted for multifactor authentication (MFA), using a pass key for fishing-resistant authentication. Once verified, she gains just-in-time access to local resources without directly touching the corporate network, based on identity, device compliance, and real-time risk. Violet can also seamlessly access additional apps and resources within allowed network segments, such as an internal AI-powered app, without needing a VPN, reducing the risk of lateral threat movement.
Admin Configuration in Microsoft Entra Admin Center
Marilyn explains how admins can set up secure access to on-premises applications using Microsoft Entra global secure access. She walks through modernizing Woodgrove Bank's security to replace legacy VPNs with identity-centric ZTNA, gaining granular visibility into private applications, and granting Violet just-in-time access. The process begins by enabling traffic forwarding profiles for Microsoft 365, Microsoft Entra Internet Access, and Microsoft Entra Private Access in the Microsoft Entra admin center, ensuring they are assigned to all users. Instead of setting up a VPN, the focus is on using a zero-trust network access approach with Microsoft Entra private access. This involves enabling traffic forwarding profiles, setting up a private network connector for secure outbound access, configuring enterprise apps to work with the connector, and securing access with fishing-resistant MFA and device compliance conditional access policies. Private DNS is set up to ensure internal apps are discoverable and accessible securely without exposing them to the public. Multi-geo connectors are configured to optimize traffic flow from global secure access clients to private apps, assigning connector groups based on geographic locations. Connectors are installed within the corporate network or on a virtual machine in the cloud, and their statuses are monitored. Quick access is set up with app discovery to identify who is using which private applications, allowing for the creation of application segments for specific devices, users, and processes, and expanding conditional access controls.
Just-In-Time Access and Conditional Access Policies
Marilyn details the setup for just-in-time access to allow Violet to access financial data. This involves configuring a security group called "finance group" in the Entra admin center to control access to the RDP application. Privileged identity management (PIM) is enabled for this group, making Violet eligible for just-in-time access. A conditional access policy is in place, requiring strong authentication and targeting the PIM-enabled group for the RDP app. When Violet needs access, she logs into the Entra admin center and activates her PIM assignment. After the access period expires, she must reactivate her PIM assignment. The conditional access policy requires fishing-resistant authentication, such as a pass key, and has a sign-in frequency of every time. Risk-based conditional access allows organizations to set dynamic policies to remediate risk automatically. Tenants using risk-based conditional access remediate user risks 140 times faster. The risk data can be used in SIM or XDR tools, and Entra ID protection receives signals from across the security stack, working with tools like Microsoft Defender to provide comprehensive identity threat detection and response.
Unified ITDR and Identity Protection Dashboard
The power of unified ITDR (Identity Threat Detection and Response) is highlighted, emphasizing proactive risk reduction through correlated signals. The focus is on streamlining collaboration between identity and access management and extended detection and response teams. The identity protection dashboard is showcased, where risky users are flagged. Copilot provides a detailed summary, showing that a user attempted to access a primary refresh token and received an alert from Microsoft Defender for Endpoint. The risk can be remediated by triggering a password reset for the user. The security operations center can also view details about the detection history and risk status in Microsoft Defender alerts.
Recap and Real-World Impact
Abdi recaps the demo, highlighting how Violet seamlessly and securely accessed private resources without a VPN. From the admin side, legacy VPNs were replaced with Microsoft intra private access, an identity-centric zero-trust network access solution using traffic profiles and segmented app access. Private app discovery was used to continuously gain visibility into Woodgrove Bank's private apps. Violet was enabled to access the Woodgrove Bank server without needing a VPN, and access was granted through a PIM-enabled group and fishing-resistant pass key-based MFA. According to a Forrester total economic impact study, organizations using the Microsoft interest suite achieved measurable results, including a 60% reduction in VPN license costs and an 80% decrease in engineering effort. These outcomes help organizations scale securely, lower compliance risk, and empower users to be productive from day one. Resources such as a quick start guide and a free trial of the Microsoft Entra Suite are mentioned.
Camp Fireside Chat: Q&A on Microsoft Entra Suite
The session transitions to a live Q&A with Laura Veringo, Janice Rketts, Abdi Sabati, and Merily, addressing questions from the audience.
- Unifying Identity and Network Access: Unifying identity and network access controls makes access easier and more secure. Policies are created centrally in the Microsoft intra admin center and managed through conditional access policies, applying across both identity and network layers. Conditional access acts as a zero-trust policy engine, considering user identities, device health, and locations to enforce access controls.
- Preferred Physical Security Keys: Microsoft prefers passwordless authentication and recommends using a FIDO2 key for physical security.
- Conditional Access as a Zero Trust Policy Engine: Conditional access is central to Entra ID, enabling granular control over access based on defined conditions. Global secure access (GSA) extends this control to the network level, targeting network-level application segments (IP addresses or FQDNs) with conditional access policies.
- Migrating from Legacy VPNs: Moving from VPNs to a ZTNA approach with Microsoft intra private access involves a phased approach. Tools like quick access allow bringing a subset of the network under ZTNA, enabling app discovery and segmentation. Deployment guides are available to assist with this migration.
- Private Access vs. VPNs: Private access enforces zero trust principles, limiting access to only what users need, unlike VPNs that provide broad network access.
- Coexistence with Other Providers: Microsoft offers coexistence and integration solutions with partners like Netscope, Cisco, Palo Alto Networks, and Zscaler. Global secure access integrates with SD-WAN and network providers.
- ID Protection and Auditing: Identity protection scores risk signals (low, medium, high), allowing sock analysts to check audit logs for potential compromises and trends in risk behavior.
- App Discovery: App discovery, specific to quick access, identifies traffic traversing the network, enabling the creation of policies and enterprise apps for zero-trust access controls.
- New Features in Private Access: Recent releases include app discovery, private DNS support, multi-geo connectors, and private access for domain controllers.
- Addressing Network Latency for Global Companies: Multi-geo connectors ensure network traffic remains within the same region, minimizing latency. Microsoft's global private network improves efficiency, performance, and connectivity.
- Integrating Entra Suite and Private Access: Start by setting up quick access or an enterprise application, test conditional access policies, and consider risk-based conditional access. Use identity governance and access packages to manage user assignments.
The session concludes with final advice on integrating the entry suite and private access into existing infrastructure, emphasizing the importance of collaboration between IT and security teams and accelerating the zero trust journey.
