Microsoft Entra Internet Access now generally available

With the rise of hybrid work, identity and network security professionals are now on the front lines of protecting organizations. Traditional network security tools cannot meet the integration, complexity, and scalability requirements of ubiquitous access, exposing organizations to security risks and poor user experiences. To address this, network security and identity must function as a unified force in defense. Only when identity and network controls are deeply integrated into secure access can we fully implement the core Zero Trust principle, where trust is never implicit and access is granted on a need-to-know and least privilege basis for all users, devices, and applications.

Microsoft Entra Internet Access

On July 11, 2024, we announce The general availability (GA) of Microsoft Entra Suite includes Microsoft Entra Internet Access, part of the Security Service Edge (SSE) solution. Internet Access is an identity-centric secure web gateway (SWG) solution that secures access to all Internet and SaaS applications and resources, eliminating security gaps and minimizing the risk of cyber threats by unifying identity and network access control through a single Zero Trust policy engine. Our solution is fully integrated with Microsoft Entra Identity, eliminating the need to manage users, groups, and apps in multiple locations. With capabilities such as universal conditional access, context-aware network security, and web content filtering, you protect users, devices, and resources, so you no longer have to manage multiple, disconnected network security tools.

Figure 1: Secure access to all Internet and SaaS applications and resources through an identity-centric SWG.

Integrated identity and network security

Tight integration with Entra ID enables conditional access and subsequent continuous access evaluation (CAE). Expandable to all external destinationsInternet resources and cloud applications, whether or not they are integrated or federated with Entra ID, are the same. This integration with Conditional Access enables you to apply network security policies tailored to your enterprise requirements, leveraging granular control by leveraging device, user, location, and risk conditions. Microsoft Entra Internet Access also provides enhanced security features such as token replay protection and data exfiltration controls for Entra ID federated applications.

Figure 2: Rich user, device, location, and risk awareness of conditional access for network security policy enforcement

Protect your users with context-aware network security

With Microsoft Entra Internet Access, you can now: Connect network security policy Conditional access provides a versatile tool that can adapt to a variety of scenarios for SWG policy enforcement. Now Web Category FilteringEasily allow or block a wide range of Internet destinations based on pre-filled settings. Web Category. For more granular control, you can use Fully Qualified Domain Name (FQDN) filtering to set policies for specific endpoints or easily override general web category policies.

For example, you can create a policy that allows your finance team to access critical finance applications while restricting access for the rest of your organization. You can also add risk-based filtering policies that dynamically adapt to your users’ risk level with Entra Identity Protection to restrict access to these destinations for high-risk members, providing additional protection for your organization. Another great example is timely access to Dropbox while blocking all other external storage sites, leveraging the tight integration between Microsoft Entra Internet Access, Conditional Access, and Entra ID Governance workflows.

In the coming months, we will be adding new features such as TLS inspection and URL filtering to give you more granular control over your web filtering policies. We will also be adding threat intelligence (TI) filtering to prevent users from accessing known malicious Internet destinations.

Provides in-depth defense against token replay attacks through compliance network inspection

New features added Compliance Network You can extend Compliant Network inspection to conditional access to all Entra ID federated Internet applications, including Microsoft 365 applications, to prevent token replay attacks at the authentication plane. This capability also ensures that users cannot bypass the SSE security stack while accessing applications. Compliant Network eliminates the inherent drawbacks of source IP-based location enforcement, namely cumbersome IP management and hairpinning of remote users’ traffic through branch networks.

Prevent data leakage by enabling TRv2 (Universal Tenant Restriction) controls.

Microsoft Entra Internet Access enables you to: Universal Tenant Restrictions Control over all managed devices and network branches, regardless of OS and browser platform. Tenant Restriction v2 provides powerful data exfiltration controls, allowing you to manage external access risks on managed devices and networks by curating granular allow or deny lists of external identities and applications that can or cannot access.

Figure 5: Universal Tenant Restrictions

Do not obfuscate original user source IPs.

Existing third-party SSE solutions hide the user’s original source IP and only show the proxy IP address, which reduces Entra ID log fidelity and conditional access control. Our solution pre-emptively Restores the original end-user source IP. Context for Entra ID activity logs and risk assessment. Also maintains backwards compatibility for source IP-based location verification in Conditional Access policies.

Provides fast and consistent access on a global scale.

Globally distributed proxy with multiple locations close to your users eliminates extra hops to optimize traffic routing to the Internet. Connect remote workers and branch offices with a global secure edge that is milliseconds away from your users. Thousands of peering connections with Internet providers and SaaS services, and for services like Microsoft 365 and Azure, avoids performance penalties through extra hops and sends traffic directly to the Microsoft WAN infrastructure, improving the overall user experience.

Figure 7: Microsoft’s global wide area network (WAN)

Gain deeper insights and network analytics using in-product dashboards:

Our comprehensive in-product reports and dashboards are designed to help you easily understand and share a complete, holistic view of your entire ecosystem within your organization. Monitor deployment status, identify emerging threats with comprehensive network and policy monitoring logging, and quickly resolve issues. Our dashboards provide an overview of users, devices, and destinations connected via Microsoft’s SSE solution. We show cross-tenant access across your enterprise, top network destinations in use, and other policy analytics.

Figure 8: In-Product Dashboard

Microsoft Entra Internet Access Architecture Overview

Microsoft’s SSE Architecture customer and Branch Connectivity simplifies network access and security. The Global Secure Access standalone client for endpoints is currently available for Windows and Android, with MacOS and IOS coming soon. Branch connectivity relies on site-to-site connectivity from network devices to Microsoft’s SSE Edge service. Microsoft Traffic Now available. Internet access traffic Coming soon. Traffic for both client and branch connection models is secure and tunneled through Microsoft’s SSE Edge. Additionally, we have partnered with: HPE Aruba and Versa We will soon be working with additional SD-WAN partners to integrate our SSE solution with their SD-WAN products.

Parallel interoperability with third-party SSE solutions

One of the unique advantages of Microsoft SSE solutions is their built-in compatibility. Third-party SSE solutions You can capture only the traffic that needs to be sent to Microsoft’s SSE edge. For example, you can enable Microsoft Traffic profiles to manage Microsoft 365 and Entra ID traffic and optimize the performance of Microsoft applications, while using other providers for the rest of your traffic. Configuring traffic forwarding profiles is simple, allowing you to precisely control traffic for Internet and SaaS traffic, including Microsoft 365. Traffic profiles are user-aware and can be forwarded to specific groups in your enterprise as needed.

Figure 9: Flexible deployment options

conclusion

Microsoft Entra Internet Access provides a powerful, identity-centric SWG solution that secures access to the Internet and SaaS applications. It integrates conditional access policies across identity, endpoints, and networks to ensure that all access points are secure, adapt to the needs of a hybrid workforce, and mitigate sophisticated cyberattacks. This strategic shift demonstrates Microsoft’s commitment to leading the transition to a cloud-first environment by not only strengthening security, but also optimizing user experiences.

Learn more and get started

Stay tuned for more in-depth coverage of Microsoft Entra Internet Access and Microsoft Entra Private Access. For more information, please visit our recent Tech Accelerator Product In-Depth Analysis.

Contact your Microsoft sales representative to get started. Start the trialCheck out the general availability of Microsoft Entra Internet Access and Microsoft Entra Private Access. Share your feedback to help us improve these solutions.

Anupma Sharma, Principal Group Product Manager

Read more about this topic

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access control, and improve user experiences with a comprehensive identity and network access solution across on-premises and cloud.