课程: Microsoft Security Essentials: Concepts, Solutions, and AI-Powered Protection

Microsoft Entra Global Secure Access - Microsoft Security Copilot教程

课程: Microsoft Security Essentials: Concepts, Solutions, and AI-Powered Protection

Microsoft Entra Global Secure Access

- [Instructor] Microsoft Entra Global Secure Access helps organizations manage controlled access to software as service, SaaS applications, and private corporate resources. From a security point of view, it delivers the key capabilities of a security service edge solution. What is security service edge, or SSE? It's a cloud-based service that ensures safe access to the internet, cloud services, and private resources from anywhere. Security service edge includes several key services, Cloud Access Security Broker, CASB, or CASB, for securing cloud applications and data, Secure Web Gateway, SWG, for filtering internet traffic, blocking harmful websites, and enforcing corporate policies, and Zero Trust and Network Access, or ZTNA, for allowing remote users to access internal resources based on zero trust principles. While mapping these SSE services to Microsoft products, the matching solutions are Microsoft Defender for Cloud Apps, Microsoft Entra Internet Access, and a Microsoft Entra Private Access. Also, Microsoft Entra Global Secure Access is the unifying term that includes both Microsoft Entra internet access and private access. Here's a diagram from Microsoft, which provides an overview of Microsoft Entra Global Secure Access. We can see Global Secure Access unifies Microsoft Entra internet access and private access. It's built on zero trust principles. It works with identities, endpoints, and remote networks to route network traffic and provide secure access to various environments such as Microsoft 365 internet and private places. You can replace traditional VPNs with Microsoft Entra private access to securely connect to your corporate network from anywhere. To access private resources, you will create a special enterprise application. It works like a container for your resources. You can decide which resources to add to the container. The application has a network connector, acting as a bridge between private access service and the resources. There are two ways to set up a private access, quick access and per app access. For quick access, you create one Quick Access app and add resources to it. All resources share the same access policies applied to this app. You can use a fully qualified domain name, FQDN, IP addresses, IP ranges and ports to define your private resources. This information is called Quick Access App Segments. If you need more granular controls, for example, having different access policies for different private resources, you will use per app access. You can create multiple global secure access apps instead of a single Quick Access app. Then add your private resources to different apps based on their access requirements. Correspondingly, each app has its own app segments, which is why this method is called Per App Access. Microsoft Entra Global Secure Access also provides a dashboard with various widgets such as Global Secure Access Snapshot to summarize users, devices and the destinations with captured network traffic, alerts and notifications to monitor suspicious activities, usage profiling to display usage patterns for network traffic, cross-tenant access to show the number of users and the devices accessing other tenants, web category filters to highlight top categories of web content that are blocked or allowed, and a device status to show the active and inactive devices. Now let's look at Global Secure Access in the Microsoft Entra Admin Center. On the dashboard page, you'll find various widgets, for example, Global Secure Access Snapshot, alerts and notifications, usage profiling, and many others. To get started, you need to enable traffic forwarding profiles. Under Connect, click Traffic Forwarding. you can configure profiles for Microsoft Traffic, private access, and internet access. You can link conditional access policies to the profile and assign users and groups. Users can download the Global Secure Access Client to their devices. The client will tunnel traffic from the device to the Global Secure Access Service.

内容