Deep Dive on Microsoft Entra Internet Access
ฝัง
- เผยแพร่เมื่อ 20 ก.ค. 2024
- A look at the Microsoft Entra Internet Access secure web gateway capability. How it works and what it can do!
🔎 Looking for content on a particular topic? Search the channel. If I have something it will be there!
▬▬▬▬▬▬ C H A P T E R S ⏰ ▬▬▬▬▬▬
00:00 - Introduction
00:24 - Why we need it!
02:00 - Microsoft Entra Internet Access
05:07 - Using Internet Access
05:48 - Installing the Global Secure Access client
08:08 - GSA client authentication
08:52 - Looking at the GSA client
10:52 - Enable Internet forwarding
13:16 - Yay RegEx :-)
15:04 - Creating Web Filtering Policies
20:36 - Create Security Profiles
24:53 - Viewing Security Profiles
28:33 - Using with Conditional Access
34:41 - How they are applied and understanding token claims
38:37 - Demo time!
40:44 - Troubleshooting
42:39 - Don't do this but what if we block part 1
43:03 - Viewing Traffic Logs
44:19 - Block impact part 2
45:38 - CA is to apply the profiles and policies NOT to itself block
46:43 - Summary
48:21 - Close
▬▬▬▬▬▬ K E Y L I N K S 🔗 ▬▬▬▬▬▬
► Whiteboard:
🔗 github.com/johnthebrit/Random...
▬▬▬▬▬▬ Want to learn more? 🚀 ▬▬▬▬▬▬
📖 Recommended Learning Path for Azure
🔗 learn.onboardtoazure.com
🥇 Certification Content Repository
🔗 github.com/johnthebrit/Certif...
📅 Weekly Azure Update
🔗 • Azure Infrastructure U...
☁ Azure Master Class
🔗 • Microsoft Azure Master...
⚙ DevOps Master Class
🔗 • DevOps Master Class
💻 PowerShell Master Class
🔗 • PowerShell Master Class
🎓 Certification Cram Videos
🔗 • Microsoft Certificatio...
🧠 Mentoring Content
🔗 • Virtual Mentoring
❔ Questions? Maybe I answered it in my FAQ
🔗 savilltech.com/faq
👕 Cure Childhood Cancer Charity T-Shirt Channel Store
🔗 johns-t-shirts-store.creator-...
👂 Enable the subtitles and from there you can translate to your native language via the auto-translate feature in settings! • TH-cam Captions and A... for a demo of using this feature.
SUBSCRIBE ✅ / @ntfaqguy
#microsoft #azuread #entra #johnsavillstechnicaltraining
Lets dive into the Entra secure web gateway solution, Microsoft Entra Internet Access! Please make sure to read the description for the chapters and key information about this video and others.
⚠ P L E A S E N O T E ⚠
🔎 If you are looking for content on a particular topic search the channel. If I have something it will be there!
🕰 I don't discuss future content nor take requests for future content so please don't ask 😇
🤔 Due to the channel growth and number of people wanting help I no longer can answer or even read questions and they will just stay in the moderation queue never to be seen so please post questions to other sites like Reddit, Microsoft Community Hub etc.
👂 Translate the captions to your native language via the auto-translate feature in settings! th-cam.com/video/v5b53-PgEmI/w-d-xo.html for a demo of using this feature.
Thanks for watching!
🤙
I just do not know what we should do without these very easy to understand videos , Microsoft documentation only make sense after watching John's video. I guess these days Microsoft documentation is too much talk and heavy to understand . Thanks John
what a successor vid to the first vid on global secure access!
thanks so much John!
Waited for this. You never disappoint :)
Very useful. You seem to be using an updated version of the client that I am. The version I used didn't really show if you were connected to the services or not. This is very welcome.
Great Video John! Very interesting. I can see this possibly replacing our Forcepoint Web Filter Agents on our end user devices?!
Looks like an interesting challenge to services such as CloudFlare Argo tunnels and Tailscale networks, as well as traditional VPNs with split tunnelling.
Interesting tech, could solve some problems in my environment thanks for the walk through!
You bet!
Thanks for this, very fun demo and great overall video.
Glad you enjoyed it!
Awesome video!! lot of useful information!. Thank you!!!
Glad you enjoyed it!
great content as always John, qq..does the 65000 weighted profile trump all/any other policy (possibly conflicting) setting ?
thanks in advance and happy new year !
no its the lowest possible priority as I said in the video. Anything else overrides it.
Thanks John
***Merci beaucoup*** Thanks John ***
Huge news!
Very clear! Thx
You're welcome!
This is great! Wish it can go to all different browsers such as google chrome and Firefox
This is within the OS. Nothing to do with which browser you are using.
Thank you!
Welcome!
Thanks for another great demo. I am assuming we can add block all rule to priority 6500 security profile to block any traffic that is outside the explicit rules.
Can add whatever you want but be careful you don't block things needed for authentication etc to function :-) You can easily break things if too agressive.
@@NTFAQGuy I was thinking more along the lines of traditional firewall rules where we explicitly allow traffic and then block everything else via default deny all rule in the end. I will look for the documentation on traffic/ports/rules needed for authentication.
Remember most firewalls are stateful so a response to an outbound works. Here you are blocking access to sites hence you need to give a lot more consideration.
This is wonderful, however this breaks internal applications causing a DNS issues that I am still trying to determine how to fix this.
This is really interesting, can this be used to access Azure SQL databases? We have an issue at our company where we need to VPN to our office to access SQL databases and this causes performance issues
you are mixing up internet and private access.
Signing out of the agent gives unfiltered internet access? I assume sign out capability will be restricted for standard users?
Right, roadmap item.
I was view #1
ROFL. Congrats
I guess authentication to Entra is required for the whole thing to work then. Shame we still authenticate to on-premise DCs
How the machine is going to recover if the global admin accidently applied Entra ID Conditional Access Policy with Block control? Because now local client is set up to Block Internet Access app.
Well you saw me undo it in the demo.
@@NTFAQGuy thanks for prompt response and covering this issue, asked my question too fast :) still watching.
So in case the user got accidently blocked by Entra ID CA policy, all need to be done is to sign out and GA to fix Entra ID CA applied to Internet access
Is Entra Edge = Microsoft’s Security Service Edge (SSE) solution ?
Yes, I do mention that in the video.
surprised it doesn’t issue a ‘sorry/denied’ page
It does if http. You see that in demo. This is not a browser extension so tls is encrypted which means more difficult to inject a message from the OS into a browser page I suspect.
Feels like OpenDNS 18 years after?
OpenDNS only in the sense of traffic filtering. OpenDNS manages filtering on a single IP and can be skirted by users updating their DNS server. This is far more advanced than OpenDNS. This can be used to manage traffic granularly by machine across your entire enterprise.
it's really web filtering 1.0. back when the internet was flat and single purposed.
This is a great video. I was wondering about the
If MDE(Defender for Endpoint)'s webfiltering and Entra GSA's webfiltering policies collide, who wins?
Guess would be most restrictive. Think layers of blocking. If any blocks you can’t get to the target.
That's not the case. Endpoint would have first dibs since it's hooked into the browser. the SSE client doesn't do anything until the edgeSWG has access to the connection.@@NTFAQGuy