Global Secure Access: Is it for the SMB?

Back to Blog
Global Secure Access for the SMB
16Apr2024

Global Secure Access: Is it for the SMB?

A couple of months ago, I presented a session on Microsoft Entra’s Global Secure Access (GSA), which is really two products under a single unifying banner.

Diagram of the Global Secure Access solution, illustrating how identities and remote networks can connect to Microsoft 365, private, and public resources through the service.
Image credit: Microsoft

Almost nobody in the audience had heard of Global Secure Access before. Granted, it was (and still is) fairly new, but I was expecting this announcement to make a bigger “splash” than it ultimately did. Especially in the SMB space, there doesn’t seem to be much awareness of it yet. Also to be fair, since this is still in preview, I would not necessarily recommend it for production at this time, but I do think it is something we should be keeping an eye on in the long term.

Is it just a VPN?

Some of the tech blogs out there are making a comparison between this product and legacy Virtual Private Networks, as if this were just a “Next-Gen VPN,” but this isn’t quite on the mark. Technically, GSA is a Security Service Edge (SSE) product. Microsoft themselves describe this as a “cloud-delivered network perimeter” that is “identity-aware” and integrated with their security ecosystem including Conditional Access and Microsoft Defender for Cloud Apps (Source: What is Global Secure Access (preview)? – Global Secure Access | Microsoft Learn).

I will briefly add here that, as usual, Microsoft’s marketing is a few steps ahead of their engineering department. Based on my testing so far, some of the promises of this product aren’t fully realized yet (but again, it is still in preview). In a nutshell, the solution leverages the Global Secure Access client, which you install on endpoint devices so that it can intercept and forward the traffic to Microsoft’s Security Service Edge (you can also configure your own network edge devices to forward their traffic as well). The GSA service can handle traffic for both private (e.g., on-prem) resources, and public resources, such as Microsoft 365 and other apps and websites on the Internet.

Microsoft’s stated goal with GSA is bringing the network edge–policies which you might normally enforce on a firewall–down to the endpoint itself. The policies are managed in the cloud, rather than on your conventional network perimeter. This has some obvious benefits, like being able to apply traffic policies no matter where in the world the device is connected (it doesn’t have to be behind a corporate firewall or connected to a VPN). The “perimeter” is therefore everywhere and anywhere that you happen to be. Which is pretty awesome.

Microsoft Entra Internet Access is Where it’s At

Global Secure Access includes both Microsoft Entra Private Access, and Microsoft Entra Internet Access. In the SMB, we are generally trying to get out of the on-premises hosting game, so the “Private” side of this product will find a much smaller audience here (not that the need doesn’t exist at all, it just won’t be as prevalent). However, with regard to the Internet Access product, the appeal should be universal; there are some tremendous benefits that the small and mid-sized business crowd would be remiss not to explore.

When you configure Global Secure Access from the Microsoft Entra portal, there are three traffic forwarding “profiles” that we have to work with out of the box:

GSA traffic profiles

I have enabled both the Microsoft 365 access profile, and the Internet access profile. When you switch these profiles on, Microsoft Entra instructs the Global Secure Access client to forward these types of traffic through Microsoft’s Security Edge, instead of going directly to the resource out on the world wide web. In turn, that gives you the opportunity to apply Conditional Access policies against that traffic in the cloud. Now access to these destinations will be contingent on the rules you set up.

Linking a Conditional Access Policy to the Internet Profile

For example, if we are targeting the Internet traffic profile, we can assign Global Secure Access “security profiles” to enforce web filtering.  This is similar to the web filtering we get with Microsoft Defender for Endpoint/Business, but with this solution we gain much more granular control using Conditional Access, which enables us to target users and other context rather than just ‘device groups’ as in MDE. Also, we can apply “priority” to policies, much like you would on a firewall.

Configuring priority on security profiles

Now of course, none of these policies mean anything unless the GSA client is installed on your endpoint devices. The client is available for download via the Microsoft Entra portal, and then we can accomplish the deployment org-wide right from Intune.

Deploying the GSA client via Intune

The other benefit of course, is that all this client traffic is centrally logged and visible now as well.

The GSA client forwards all traffic logs to Microsoft Entra

Stop Adversary-in-the-Middle attacks

Yet another major benefit of adding GSA to your Conditional Access toolkit is that you have an additional verification datapoint. That is, you can create a policy that will block traffic if the GSA client is not enabled or present, in other words, if the access request didn’t “arrive” via the GSA edge, then you don’t get access.

All compliant network locations is added for use in policies!

How does this work? When you configure GSA in your tenant, it will automatically create a new Named location called “All Compliant Network locations.” This object is now available for you to use in your policies (you can optionally set this as a “Trusted” location if you have existing policies that leverage this feature already).

Block access to Microsoft 365 except from Compliant networks (GSA-connected)

In your policy, you would set the location condition to exclude All compliant network locations (i.e., GSA-connected), and then set the access controls to Block access. Meaning, if you aren’t connected to the GSA edge, then your access will be denied. And that means adversary-in-the-middle attacks (such as those made possible by Evilginx) are instantly thwarted, because the adversary’s device is not going to be connected to the security edge.

Access is blocked by my compliant network policy

(Note: at this time, this policy is only supported for Office 365 Exchange Online and SharePoint Online).

Then there is the ability to enforce Universal Tenant Restrictions, which I mentioned briefly in a previous blog post.  In short, this means that you can prevent users from signing into other Microsoft 365 tenants, and protect corporate information from leaking into external organizations. This is optional to turn on, and it won’t be for everyone, but where it is required, it will be a godsend.

Universal tenant restrictions prevents user from signing into a different tenant

Proceed with caution

I have found a few buggy things with GSA that I am (mostly) confident Microsoft will be able to work out, and hopefully before it goes to General Availability (it’s still in preview now). For example, when I use Outlook on the web, I have noticed that I cannot access the files in my Groups. The reason, I suspect, is that Outlook is not forwarding its requests via the GSA edge service. So for now at least, the “Compliant networks” policy comes with some annoying side effects.

The compliant networks policy comes with some annoying side effects

When I was setting it up for myself I also ran into a couple of hiccups, for example, if IPv6 is enabled it may become an issue since only IPv4 traffic is supported at this time for the Internet access profile (and also, only ports 80 and 443 are forwarded, so any sites with a different port number like 8080 or whatever would not be picked up by the client). And there are some other limitations as well.

Luckily, the GSA client has a handy little diagnostic tool built into it, which helped me identify and iron out (most) of the issues.

Global secure access client diagnostics

Conclusion

So again, turning the Global Secure Access profiles on in the Entra portal does not by itself impact anything, until you install the Global Secure Access client. Then you would begin to actually enforce the corresponding policies using Conditional Access. If you decide to try this out in your own organization, I would strongly recommend constraining it to a pilot group, and know that you could run into issues, especially when first setting it up, and especially while it is still in preview.

I will have a course out soon that covers the setup steps and various policies that are possible today (if you are a member of SquareOne, then you have already seen it). Long term I hope Microsoft takes this much further–I would like to see full egress filtering added eventually for instance. I have no idea if this is on the roadmap or not, but, even with the Conditional Access capabilities we have today, this product is showing a lot of promise, and if they can iron out some of the bugs that remain with the noncompliant networks policy by the time this goes to GA, I would certainly consider adopting it as part of my standard deployment in the SMB.

The only other roadblock I can imagine, is if the licensing requirements for this end up being different than they are now; during the preview at least, all I need is Microsoft Entra ID P1 (which is already part of Business Premium). If there are additional licenses required to use this product in the future (does anyone know this?), then the SMB certainly is less likely to adopt it. But I do not know the answer to this question–so it remains to be seen.

News, Opinion , , , , , 1 Comment
Share:

Comment (1)

  • laflammemarc Reply

    When I first read about this product and looked into it, it really does sound like an always-on split-tunnel VPN but with more granular capabilities in being able to tie into identity. I wonder how much it will cost for ingress/egress as those “hidden” costs are always what comes out to bite you, especially with SMB.

    April 17, 2024 at 8:57 am

Leave a Reply

Back to Blog

Related Posts

06Feb

We have to talk about Intune

There was a time, not long ago, when I would have conversations with others like me, who work for other managed service providers around the US--we would all say the same thing: "We don't want any part of Intune--we have our own RMM tools..." Let me... read more
05Apr

Meet Microsoft 365 Business: The new Small Business Server(less) Solution

I've been waiting for this moment for a long time. And I can't tell you how happy I am that it is finally here. Today we're going to talk about Microsoft 365 Business (not Office 365). Actually, I've been sitting on it for a while, because... read more
19Nov

Windows Virtual Desktop (WVD) vs. traditional RDS or VDI

I want to talk about Windows Virtual Desktop (WVD) as the successor to on-prem deployments of Remote Desktop Services (RDS), and Virtual Desktop Infrastructure (VDI). Many small and mid-sized businesses are already familiar with using Remote Desktop or similar (e.g. Citrix, VMware View, etc.). Usually... read more
10Nov

How Skype for Business changed the way I work

This platform can do way more than what I'm using it for right now (I don't have the extra fancy features where you can get a phone number, call land lines, forward to your cell, etc.). My understanding is that Skype can do all that,... read more
06Jan

Announcing the Practice Development Community and Monthly Educational Series

Today is a big day here at ITProMentor.com. We are entering a new year, and we have a big agenda to go along with it! In my recent surveys many of you indicated interest in gathering together and forming a community. As well, more... read more
22Aug

Why MDM for Office 365 may be obsolete, with updates to Exchange Active Sync

Disclaimer: This is not breaking news, what I am about to describe has been available for a while, but I just haven't gotten around to blogging about it. Previously I wrote about MDM for Office 365, and I had to update that article since Microsoft... read more
03Mar

My Top 5 Favorite Microsoft Cloud Solutions for the SMB

1. Office 365 (Even if you thought "I already use it") Office 365 is, to put it quite bluntly, the new gold standard in productivity at every level of the Enterprise. In the SMB space especially, this is so much the case that I cannot emphasize it strongly... read more
19Sep

The Measure of Success

How do you measure success? In the world of consulting, we live and die by the billable hour. Utilization. But I haven't watched that metric for myself--ever. I've been told to, of course. But as with many conventions, I generally ignore it. These days, I'm lucky enough to... read more
13Oct

Goodbye, Exchange 2010 (And advice moving forward)

The end of an era. Exchange 2010 is End of Life today--no more security updates, no more extended support. I know there are quite a few servers left out there in the world, but many of them are not even in use (or they were... read more
10Jan

Busting the myth behind Secure Score

For someone who writes so extensively on Microsoft / Office 365 products, especially with regard to security, I haven't said much about their Secure Score tool on this site yet. Probably I have mentioned it once or twice, but I haven't opined on it, officially. So... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me