Microsoft Entra Blog

6 MIN READ

What’s new in Microsoft’s Security Service Edge solution

Sinead_ODonovan

Microsoft

Nov 19, 2024

New enhancements help you reach the next level in Zero Trust and network transformation.

With Microsoft Ignite 2024 kicking off in Chicago, we’re excited to share the latest updates to our identity-centric Security Access Service Edge (SASE) ecosystem, which accelerates your Zero Trust implementation and network transformation by unifying access controls across network security, identity, and endpoints.

Whether you’re in the midst of your journey or just starting out, we’re making it simpler and easier to secure your devices, users, and network access. The enhancements we’re announcing today make it easier to migrate from traditional network security technologies, move to a least privilege access model, improve visibility into which users are accessing which apps, and strengthen protection against threats.

New capabilities in Microsoft Entra Private Access simplify migration from traditional VPNs and make it easier for users to connect to resources.
Enhancements to Microsoft Entra Internet Access make it possible to revoke network access in near real-time and to inspect encrypted traffic.
Integrations with other providers make it easier to send your network traffic through our SASE ecosystem and to access their network security capabilities directly from our in-product experience.
Our Global Secure Access clients for macOS and iOS are now in public preview.

Enhancements to Microsoft’s SSE solution

In July, we announced that Microsoft Entra Private Access and Microsoft Entra Internet Access were generally available, either standalone or as part of the Microsoft Entra Suite. These two products, coupled with our SaaS security-focused CASB—Microsoft Defender for Cloud apps—comprise Microsoft's Security Service Edge (SSE) solution. It’s a cloud-delivered, identity-centric networking model that unifies controls for identity, network security, and endpoints—with Conditional Access as the Zero Trust policy engine—to close security gaps while eliminating the need to manage users, groups, and apps in multiple locations.

The enhancements we’re announcing at Ignite will help you reach the next level in your Zero Trust and network transformation journey.

Figure 1: Microsoft's identity-centric SSE solution overview

What’s new in Microsoft Entra Private Access

Microsoft Entra Private Access helps replace your VPN with an identity-centric Zero Trust Network Access (ZTNA) solution that’s built on Zero Trust principles to protect against cyber threats and prevent lateral movement. Through Microsoft’s global private network, you can give users a seamless, edge-accelerated access experience that securely connects them to any private resource and application without giving them full access to everything on your network.

New capabilities simplify migration from traditional VPNs and make it easier for users to connect to resources.

Quick Access, already generally available, makes it easy to onboard private apps to Microsoft Entra.
App Discovery, in public preview, makes it easy to discover all your private apps.
Private DNS, in public preview, makes it easy for users to access IP-based app segments across private apps using Fully Qualified Domain Names (FQDNs).
Connectors available in Microsoft Azure, AWS, and Google Cloud marketplaces, in public preview, make it easier to deploy private network connectors.

What’s new in Microsoft Entra Internet Access

Microsoft Entra Internet Access helps secure access to all internet and SaaS applications and resources with an identity-centric secure web gateway (SWG) solution, so you no longer need to manage multiple disconnected network security tools. It protects users, devices, and resources with capabilities such as universal Conditional Access, context-aware network security, and web content filtering.

New capabilities in preview today strengthen protection against threats.

Universal Continuous Access Evaluation (CAE) support, in public preview, makes it possible for Conditional Access to revoke network access in near real-time when it detects an increase in session risk that may signify an attack. This is like gaining an automatic emergency switch to turn off the internet until policy conditions are met. Because these controls operate at the network level, they work whether or not the application or client supports modern authentication and CAE natively.
TLS inspection, in private preview, provides comprehensive visibility of encrypted traffic and enables enhanced URL web category filtering based on full URLs.

Join the private preview for TLS inspection in Microsoft Entra Internet Access.

An integrated approach to SASE

If you’re like most enterprises, you’ve invested in network appliances, routers, and a Multiprotocol Label Switching (MPLS) backbone. And if you’re embracing network transformation, you may be in the process of simplifying your on-premises network and replacing expensive equipment with modern network solutions.

We don't believe that one network security vendor can solve all customer needs. That’s why our SASE ecosystem offers flexible deployment options that work in concert with other SSE, SASE, and networking solutions. We’re partnering with other network security vendors to deliver deep product integrations so you can protect against the most sophisticated attacks by combining the power of our identity-centric Zero Trust policy engine with solutions from your hardware providers of choice. We're also partnering with other network connectivity providers to make it easier to send your network traffic through our SASE ecosystem. The result is unified management and visibility within our SASE ecosystem. This frees you from toggling between complex systems or learning new ones.

We’re augmenting Entra Internet Access with third-party capabilities such as Advanced Threat Protection (ATP), Data Loss Prevention (DLP), starting with ATP and DLP from Netskope, now in private preview.

Read the blog: Microsoft and Netskope: Unified Identity-centric security

We’re integrating SD-WAN and connectivity solutions to give you a comprehensive, end-to-end secure access solution. Using templatized and automated workflows, we’re providing seamless integration with solutions from Aviatrix, Check Point, Cisco, HPE Aruba, Teridion, and Versa Networks, with more connectivity integrations coming later.

Read the blog: Microsoft partners for new SASE ecosystem

What’s new in the SSE client

The Global Secure Access client routes traffic that needs to be secured to the cloud service while allowing other traffic to pass directly to the network. The client, currently available for Windows and Android, is now in public preview for macOS and iOS, giving users more flexible options for accessing resources securely.

Without installing the Global Secure Access client on individual devices, you can still benefit from the enhanced security capabilities we offer, such as universal tenant restrictions, compliant network checks, and source IP restoration.  

The advantages of a unified network security solution

Using separate tools to manage separate identity policies and network policies adds complexity, not to mention expense. You have to synchronize users, groups, and applications; troubleshoot policy conflicts; and hope that attackers don’t exploit seams and gaps between your disparate solutions.

A comprehensive Zero Trust strategy, in contrast, connects individual tools together through a centralized access policy engine and integrated threat protection. Microsoft Entra supports this unified approach for managing and governing users and groups, as well as access, in one place. Plus, it natively integrates with other security products in Microsoft’s portfolio, so you can unify your defenses across identities, endpoints, networks, applications, data, and infrastructure:

Microsoft Intune for enforcing device compliance
Microsoft Purview for managing insider risk
Microsoft Defender XDR and Microsoft Sentinel for unified visibility, investigation, and response

Centralizing all access controls under a unified policy engine simplifies administration while giving users a single, consistent access experience with fast, seamless, and secure access to any app or resource, from anywhere. Integrating network controls, in particular, extends the power of Conditional Access to any resource, whether on-premises or in any cloud—even those that aren’t modernized or federated—without requiring any code changes. For example, you can put multifactor authentication (MFA) and device compliance checks in front legacy on-premises applications, including SAP, SMB file shares, and SSH for accessing your servers. The only thing you need is an IP address.

Test Microsoft Entra Private and Internet Access today

Our SASE ecosystem, with the latest enhancements, offers a comprehensive and integrated approach to network security that simplifies management, strengthens protections, and helps minimize costs. If you’re in the process of transforming your network and want to replace or reconsider your VPN, SWG, or traditional on-premises network security technology, we encourage you to try Entra Internet Access and Private Access, either standalone or as part of the Entra Suite. The links below will take you to the trial pages.

Most customers can move from proof of concept to full deployment of our SASE solution within three to six months. We’re here to help and would love to partner with you on your security journey.

Sinead O’Donovan

Vice President, Product Management

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

Read more on this topic

Updated Nov 19, 2024

Version 2.0

security service edge (sse)