Event banner
Event details
59 Comments
- Does the Entra governance for Internet traffic not only block types of sites but in concert apply the reputation-based intelligence for this as well? Additionally, are the user facing messages for traffic blocking or warning clear?
- Will the GSA client be able to support logging in with alternate credentials from a different tenant or only from the home tenant of the device?
tdetznerMicrosoft
Currently, we only support sign-in to the tenant where the user and the device are homed. We are working on B2B support though.
- regarding Internet access, does the internet traffic get proxied by Microsoft services, or route direct from the client after rules are processed? If all traffic is tunnelled via Microsoft Entra a) can specific websites be split out so they do not get proxied via Microsoft b) do clients get a sticky outgoing IP via Microsoft. I've used another cloud based filtering system, and the IP that is used to connect to the target website does change, which can disrupt website sessions causing websites to prompt users to log in again
- All acquired traffic gets routed through Entra Secure Edge where the policies get enforced. Yes, we do support provisions to exempt specific websites or IP ranges from acquisition where they get routed directly from the client based on admin configuration. Details of our Custom Bypass provision can be found here - https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-manage-internet-access-profile. We do support a well-defined egress IP signature for the SSE service as documented here - https://learn.microsoft.com/en-us/entra/global-secure-access/reference-points-of-presence. We acknowledge the callout and need to ensure IP stickiness on egress across long running sessions and system design takes care of that requirement by default. We are here to support, if you face any issues in practice in this regard. To ensure continuity on location based conditional access policies we have differentiating provisions in the product that will restore original Src IP address of the end user while acquiring tokens and assessing user risk (despite being routed through SSE edge). You can learn more about it here - https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-source-ip-restoration. Last but certainly not the least we have the unique integration with Conditional Access in introducing Compliant NW check which allows admins to abstract location based access controls for their tenant without needing to rely to Src IP addresses altogether and is the right paradigm in the remote/hybrid world we live in today. Learn more about it here - https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-compliant-network
- Is he intent to grow the MS SSE offering to a full blown solution including the features that has been mentioned today, including SSPM, CASB, CSPM, SWG, RBI and the rest of the usual suspects typically bolted onto a SSE offering? In other worlds will this grow to rival the the SSE offerings from providers like Netskope, Palo Alto etc.?
- Jeevan_Bisht
Yes, we are looking at Full set of SSE capabilities and bring in all the benefits of your existing investments in the ENTRA platform.
- Many thanks. So can we say that Entra is intended to evolve greatly with SSE slotting into it as a feature set.
- regarding private access, does it enable the device itself to establish a connection back to on premise resources based on it's own EntraID account rather than a use logging on. Specifically I'm thinking of the functionality provided by AOVPN Device Tunnel, can that be replicated with private access?
- tdetznerCurrently, the global secure access client (on windows) requires an interactive logon session. We are however looking into the pre-logon support that you describe for a future update.
- Does it rely on any EntraID "hidden" fields or can it work with Entra ID on local infrastructure as long as UPN/password match?
- Will the new Entra ID Suite be able to replace my existing IGA or IAM solution? If not, will it enhance my IGA capabilities?
- One of the issues we currently have with 3rd party solutions is the slowness to start up [the agent /client software] and also slowness to connect. Sometimes it can take end users up to a couple minutes or so from booting Windows or resuming from sleep. Question: will Microsoft's SSE client start quickly and connect in seconds perhaps even during initial boot [pre-logon]?
- tdetznerYes, this is our current observed behavior with many of our customers. If you see delays, I'd kindly ask you to open a support case and we will investigate those issues.
- What are your targets for speed /bandwidth on the Microsoft SSE network? [Some third party solutions are currently offering gigabit or better]
- Certain features in SSE seem to overlap with other Microsoft products, such as: App Discovery [similar to.Cloud App Security in the Security admin center], and Web Content Filtering [similar to Web Filtering in Defender for Endpoint]. My question is: will Microsoft make an effort to unify these in the long term, and in the short term will there be guidance released on how to use these technologies together in a way that doesn't cause conflicts, procedural confusion, or additional administrator workload.
- Brilliant. I have the same question as now I am confused. which one to use. Using CA policies with Entra Internet Access gives us the same identity control/device control policies. Not so granular device control policies, but enough to block access.
- TrevorRusher
Community Manager
Welcome to the Security Service Edge (SSE) AMA. Let's get started! Please post your questions here in the Comments. We’ll be here until 9:30 a.m. Pacific Time!
We will be answering questions in the live stream—and others will be answering here in the Comments.
