Flexible work arrangements and accelerating digital transformation changed the way we secure access. Traditional network security approaches just don’t scale to modern demands. They not only hurt end user experience but also grant each user excessive access to the entire corporate network. All it takes is one compromised user account, infected device, or open port for an attacker to access and laterally move anywhere inside your network, exposing your most critical assets.
Even if you adopted modern access solutions for your organization, you still need to integrate and manage multiple identity and network tools as neither identity nor network security controls alone can protect all access points. But if you use disconnected tools, some critical integration points can be missed. Skilled adversaries often exploit seams between solutions. Organizations need an easier, more agile approach to protecting access to all applications and resources. The new networking model we’re introducing today will transform the way you secure access.
Today we’ve announced two new products: Microsoft Entra Internet Access and Microsoft Entra Private Access. With Identity and Network Access solutions working together, organizations don’t need to spend time deciding which tool would work better for each app, or how to bridge the policies your identity team created with the policies your networking team created. You can now configure unified identity and network controls with Conditional Access in Microsoft Entra.
You can connect any end user, application or external resource, and internal IT systems through a cloud-delivered, identity-centric network access solution. This cloud service provides agility, is easy to manage, and proves cost effective, when compared to legacy on-prem systems, so you don’t need to sacrifice user productivity to get best-in-class security controls. This model is built on Zero Trust principles. It helps to verify each identity and uses risk-based context, giving users access only to applications, resources, and destinations they need to do their job.
Microsoft Entra Internet Access
Microsoft Entra Internet Access is an identity-centric Secure Web Gateway (SWG) for SaaS apps and internet traffic that protects against malicious internet traffic, unsafe or non-compliant content, and other threats from the open internet. For example, you can block access to all external destinations for your high-risk users or non-compliant devices except self-service password reset pages. It also extends the conditions of Conditional Access with network conditions. This would prevent, for example, a stolen access session token from being replayed by requiring a user to be on a “compliant network” to access resources.
It also has unique capabilities for Microsoft 365, including Universal Tenant Restrictions, to prevent data exfiltration to other tenants or personal accounts including anonymous access, near-real time threat detection, higher precision of the risk assessment on user, location, and device, and more seamless access to Microsoft 365 apps. Internet Access can be deployed as a main solution or side-by-side with other SSE solutions, and integration opportunities will be offered via a new API in Microsoft Graph. Traffic can be acquired using either cross OS from end user devices or IPsec tunnels from remote networks.
Internet Access for Microsoft 365 scenarios and the Windows client are now in public preview. Internet Access for all traffic, cloud firewall, threat protection and support for all other OS types will be available later this year.
Microsoft Entra Private Access
Some of you may be familiar with Application Proxy in Microsoft Entra - thousands of customers use it to access private web apps today. We’re excited to introduce an even better solution: an identity centric Zero Trust Network Access (ZTNA) solution that shares the same application connectors but offers so much more, to help organizations simplify and secure access to any private resource, port, or protocol.
With Private Access, users can quickly and easily connect to private applications, no matter where the user is – in the office or remote - and regardless of where the application is hosted – a local on-premises data center or in any public cloud. You don’t need to make any changes to those applications or resources to add another layer of security controls such as multifactor authentication (MFA), device compliance check, identity protection, identity governance, and single sign-on to any TCP/UDP-based application, including SSH, RDP, SAP, and SMB file shares and other private resources.
Using attribute-based Conditional Access policies, you can now create simple policies to more effectively target groups of applications based on the sensitivity of the application for the enterprise. Examples of such policies include requiring MFA, device compliance, low user risk, compliant network for highly sensitive applications, or even specific per application Conditional Access policies. With deep integration with Conditional Access and Continuous Access Evaluation, you can enable secure, seamless access with modern authentication in front of legacy auth protocols such as Kerberos or NTLM without changing legacy apps. Private Access is now in public preview.
Secure access to any app or resource, from anywhere, with an identity-centric security service edge (SSE) solution
Together, Internet Access and Private Access, coupled with our SaaS –security-focused CASB – Microsoft Defender for Cloud apps - comprise Microsoft's Security Service Edge solution. This solution integrates deeply with broader Microsoft’s security portfolio and enables an open partner ecosystem, so it also works with your existing network and security solutions. Internet Access and Private Access share the same agent, which works across operating systems and provides consistent connectivity across devices and networks. You can enforce unified Conditional Access policies that consider identity, device, application, and now network conditions with any application or website, regardless of which IdP the application uses and without changing those applications.
Microsoft’s SSE solution is delivered from one of the largest global private networks, Microsoft global network. The global network connects our Microsoft data centers across 61 Azure regions with more than 185 global network POPs and a large mesh of edge-nodes strategically placed around the world, enabling organizations to optimally connect users and devices to public and private resources seamlessly and securely. Currently, Microsoft’s SSE solution is available in a select set of locations in North America and Europe, with additional locations to be added throughout the course of this year.
With the introduction of our SSE solution, Internet Access and Private Access enable customers to secure access with a unified, identity-centric approach to any application, resource, or destination, using user identity, device compliance, application, and now new network compliance as conditions. This is an easy way to unify and centralize all your access policies and strengthen them with continuous access evaluation.
Stay tuned for product deep dive blogs and our upcoming Tech Accelerator product deep dive sessions on July 20, where we'll expand on how our two new products, Internet Access and Private Access, can uniquely and successfully provide a secure approach to access across your organization’s entire digital estate.
I’d like to invite you all to join our public preview and share your feedback to help us make this solution even better.
For additional information, check out the following resources:
Learn more about Microsoft Entra:
- Related Articles: Announcing Microsoft Entra expansion in security service edge and more identity innovations
- See recent Microsoft Entra blogs
- Dive into Microsoft Entra technical documentation
- Join the conversation on the Microsoft Entra discussion space and Twitter
- Learn more about Microsoft Security