Ask Microsoft Anything: Security Service Edge (SSE)

All acquired traffic gets routed through Entra Secure Edge where the policies get enforced. Yes, we do support provisions to exempt specific websites or IP ranges from acquisition where they get routed directly from the client based on admin configuration. Details of our Custom Bypass provision can be found here - https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-manage-internet-access-profile. We do support a well-defined egress IP signature for the SSE service as documented here - https://learn.microsoft.com/en-us/entra/global-secure-access/reference-points-of-presence. We acknowledge the callout and need to ensure IP stickiness on egress across long running sessions and system design takes care of that requirement by default. We are here to support, if you face any issues in practice in this regard. To ensure continuity on location based conditional access policies we have differentiating provisions in the product that will restore original Src IP address of the end user while acquiring tokens and assessing user risk (despite being routed through SSE edge). You can learn more about it here - https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-source-ip-restoration. Last but certainly not the least we have the unique integration with Conditional Access in introducing Compliant NW check which allows admins to abstract location based access controls for their tenant without needing to rely to Src IP addresses altogether and is the right paradigm in the remote/hybrid world we live in today. Learn more about it here - https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-compliant-network