Skip to main content

What is Microsoft Entra Internet Access?

What is Microsoft Entra Internet Access?

Microsoft Entra Internet Access is a security product that helps protect people and businesses when they use the internet and cloud apps. It is part of the Microsoft Entra Suite, which focuses on identity-based security. This means that Entra Internet Access uses information about each user, like who they are and where they are connecting from, to decide what they can access and to keep them safe from online threats. Unlike traditional security systems that treat everyone the same, Entra Internet Access adapts to each user individually, making it more effective at stopping attacks and ensuring companies stay secure.

https://learn.microsoft.com/de-de/

Key Features:

01. Identity-Centric Secure Web Gateway (SWG)

  • Comprehensive Protection: The Secure Web Gateway protects users from harmful websites and online threats using identity-based rules. This means the security adapts to each user to provide personalized protection.
  • Context-Aware Security: Uses context-aware filtering and policies to dynamically adapt to the security needs based on the user's identity and access patterns.

02. Conditional Access Policies:

  • Unified Access Controls: Entra Internet Access works well with Conditional Access policies to make sure security is the same everywhere, whether someone is on the company network or using the internet.
  • Adaptive Access: The system constantly checks access conditions and adjusts security levels based on the risks. For example, if a user is connecting from an unfamiliar location, the system might require additional authentication before allowing full access, while a connection from a trusted device might have fewer restrictions. This means users can safely access resources no matter where they are, following Zero Trust principles.

03. Threat Protection:

  • Web Content Filtering: The platform blocks harmful or unsafe websites, making sure users only visit safe sites. Admins can set rules to allow or block certain sites for different groups, like blocking social media for some employees.
  • TLS Inspection The platform blocks harmful or unsafe websites, making sure users only visit safe sites. Admins can set rules to allow or block certain sites for different groups, like blocking social media for some employees

04. Global Scalability and Performance:

  • Distributed Network Edge: With many network points around the world, Entra Internet Access makes sure that internet traffic is fast and reliable. This means users get a quick and secure connection no matter where they are.

Internet Access Components

Entra Internet Access has two main parts that work together to make both general internet traffic and Microsoft services run smoothly:

  • Microsoft Traffic Tunnel: This part is made specifically for Microsoft services, like Microsoft 365, to make sure they run faster and better by reducing latency and improving routing efficiency. This helps users get the best experience when accessing Microsoft services, with faster load times and smoother connections.
  • Secure Web Gateway (SWG): This part handles other internet traffic and applies filtering and blocking rules to keep users safe while browsing.

How It Works

  • Agent Installation: Admins can download and install an agent from the Entra Admin Center, which helps filter internet traffic and control content on each device.
  • Web Content Filtering: Admins can make policies to block certain kinds of websites, like social media, while allowing certain groups, like marketing, to access them if needed. Policies are prioritized with rules, like traditional web security systems.

Use Case Examples

  • Conditional Access Policies: Entra Internet Access uses Zero Trust ideas to make rules for users and devices. These rules decide which websites users can access based on their identity and risk level. Imagine an employee who is traveling and needs to access company data. She tries to log in from an unfamiliar airport Wi-Fi network. Because this network is considered risky, Entra Internet Access requires her to complete multi-factor authentication to prove her identity. Once verified, she is only given limited access until further trust is established, such as connecting from a secure VPN or a known network.
  • Just-in-Time (JIT) Groups: For important tasks like accessing financial data, JIT groups can be used. This approach helps security by limiting how long people can access critical systems. Users only get access when they need it, which lowers the risk of unauthorized access. Imagine a scenario where an employee named John needs to access the payroll system to complete month-end processing. John requests access through a secure portal, which sends his request for manager approval. Once approved, John is granted temporary access to the payroll system. After John completes his work, the system automatically revokes his access, ensuring that sensitive data remains secure.

Insights

1. Traffic forwarding 

Traffic Profile Priorities:

There is a priority system for traffic profiles:

  1. Microsoft traffic comes first.
  2. Private access second.
  3. Internet traffic third.

Impact of Enabling Internet Access Alone:

If you enable the Internet Access profile but leave the Microsoft traffic profile disabled, all Microsoft-related traffic (like for Microsoft 365 services) will be tunneled through the Internet Access tunnel.
This isn’t necessarily a problem, but you lose certain optimizations and performance enhancements specifically designed for Microsoft traffic. Microsoft traffic profile has optimizations to improve speed, so tunneling Microsoft traffic through the general Internet Access profile might result in slightly slower performance. Another downside is the loss of Source IP restoration. If Microsoft traffic is tunneled through Internet Access, the original egress IPwon’t be visible in the sign-in logs.

Normally, with the Microsoft traffic profile, you would get:

  • The original egress IP from the user.
  • The IP from the Secure Service Edge (the “last mile” IP), showing how it exited through Microsoft’s global network.

Recommendation: Always turn on the Microsoft traffic profile when you use Internet Access to get the best performance and keep track of the original IP address.

2. Web Content Filtering

Microsoft recognizes that some features in SSE solutions, like App Discovery and Web Content Filtering, might overlap with functionalities in products like Cloud App Security and Defender for Endpoint. However, each solution provides slightly different value. For instance, Web Content Filtering at the endpoint level via Defender for Endpoint does not provide TLS termination, while the SSE solution does.

Long-term, Microsoft aims to unify these solutions, allowing policies to be configured once and applied consistently across both endpoint and network levels, providing a seamless and holistic security approach. This will ensure that users have a single pane of control, reducing complexity and improving security effectiveness across the Microsoft ecosystem.

Back to all blogs

Featured blogs