Secure access to your Microsoft cloud with Global Secure Access (GSA) and Conditional Access part 1

Hello guys

Todays blog post is about Global Secure Access ( GSA ) and it's 3 features. I will explain in short what GSA can help with and explain requirements and prerequisites. We will also dive into GSA's Microsoft traffic profile feature

1. Microsoft Traffic Profile: This feature manages traffic specifically for Microsoft services like Exchange Online, SharePoint Online, and OneDrive. It ensures that traffic to these services is securely routed and monitored, providing advanced security controls tailored to Microsoft applications

   
   

2. Internet Access: This feature routes all internet traffic through the Global Secure Access client, allowing organizations to control and monitor which internet sites can be accessed. It includes web content filtering and the ability to exclude specific traffic based on IP addresses, subnets, and Fully Qualified Domain Names (FQDNs)

   
   

3. Private Access: This feature replaces traditional VPNs with a Zero Trust Network Access (ZTNA) solution. It securely connects users to private applications and resources, whether on-premises or in the cloud, without the need for a VPN. It leverages Conditional Access policies to enforce security controls and provides a seamless user experience

   
   

Requirements and prerequisites Global Secure Access Microsoft Traffic profile

• It's enough with a user license which includes Entra P1 , so you can use it with Business Premium or Microsoft 365 E3

• Windows 10/11 machine. Needs to be in Entra ID joined state

• Androids and iOS/iPadOS needs to be managed by Intune, it's enough with personal owned devices and assigned work profiles.

• Global Secure Access client needs to be pushed as win32 app with Intune on Windows machines or manually installed with local admin rights

• Defender application needs to be manually installed on Android / iOS / iPadOS devices or pushed as store app with Intune. PS: GSA client on Apple devices is still in preview.

Requirements and prerequisites Internet access and Private Access

Same as above but you will need extra licenses on top af they that you already have ( it's even not enough with E5 )

• Standalone Private Access or Internet Access license per user

• Entra Suite license per user

Users need to have Entra P1 or P2 (Business Premium and up) license before purchasing this

PS: In this blog post we will only look at Microsoft traffic profile, not Internet Access and Private Access. Hopefully I will get enough time to show you this later.

Let's configure our Microsoft traffic profile in Entra ID first

1. Go to entra.microsoft.com and log in as at least Global Secure Access Administrator

2. Navigate to Global Secure Access in left pane menu --> Dashboard -> Activate

   

3. Now go Connect --> Traffic forwarding and activate Microsoft traffic profile

   
   

4. Press on User and group assignments and assign this profile to all your users or a group. This is only for assignment purposes later. It just means that every user on your tenant can now be scoped to use this profile

   

   Leave the rest as is, it's not necessary to configure more settings here now.

   
   

   Linked Conditional Access policies just tell us which policies can be used with GSA

   
   

   Microsoft traffic policies can be configured if you want to exclude some Microsoft services for sign ins. We'll let this stay default on all because we want to ensure that we cover available Microsoft cloud services

   
   

5. Now , go to Settings --> Session management in the end of Global Secure Access menu

   

   This settings is letting us use our Conditional Access policies with GSA and creates Compliant location scope under Named locations in Conditional Access

   
   

6. Now let's create a Conditional Access policy for our test user. We want to make sure that GSA Test user can only access Microsoft services with GSA client , all logins without GSA client will be blocked.

   
   

   I called my CA policy like this: CA208-UserGSATest-IdentityProtection-Office365Apps-BLOCKAccessWithoutGSAClient

   
   

   just because I use Claus Jespersen's CA framework to have a good CA structure on my tenant, but feel free to use other names of course. Remember that naming needs to reflect what your policies do. It's important to have good scope explanations like users, apps, platforms etc. This will make your life much easier when you need to troubleshoot something !

   Ok, so... I have included my GSA Test User in this policy. There is no Exclusions

   Target resources- Include is set to Office 365

   

Network locations is configured to Yes and Any Network or location is Included to make sure that we don't allow access from any other ip's except GSA's approved IP's which we will exclude here

Excluded All Compliant Network Locations

And of course we will Block access and Save

8. Now, lets test the login from a random Windows computer. In my case it will be my work Windows 11 computer which is managed by my company

   
   

   Result when signing in to Outlook on web from Windows

The result when signing in to Onedrive on Iphone

9. Now let's test login from my Entra joined Windows machine

   

   The GSA client app is installed and it's on. I installed the client manually, but as I mentioned to you before, it can also be pushed to your managed Windows devices with Intune as win32 app.

   

Let's try login to Outlook on web again from our Entra joined windows machine with active GSA client and see if we can get in now

SSO login went ok , aaand BINGO. We have successfully logged in to Outlook on web with our user

Let's test onedrive

Now, let's login with disabled Global Secure Access client

The functionality is actually not bad, but I'm missing an easy way to create a client shortcut on desktop from start menu. Per today it's only possible to do so from installation folder. And if you start the program from desktop a menu window should pop up telling you if the client is off or on and so on. Maybe it's just me, but I think the user experience will be better it they fix this.

But ok, let's take a look on other features which we get with GSA traffic profile

12. In Global Secure Access menu in Entra --> Monitor --> Traffic logs we can get a good overview over all our traffic through GSA client, with source IP, FQDN, user name etc.

    

    I like this one, because you have a good structured overview of every single visit and this one is of course customizable like sign in log overview and etc

    
    

    Unfortunately I can't show you the functionality on iOS / IpadOS devices because my dev E5 tenant doesn't let me use Defender for Endpoint ( lame ) , but I will cover this one in part 2 later.

    
    

    Let's summarize and rate this product

    
    

    1. Good product from Microsoft and functionality is not bad, as i mentioned earlier, I'm missing an easy way to create a client shortcut on desktop from start menu. Per today it's only possible to do so from installation folder. And if you start the program from desktop a menu window should pop up telling you if the client is off or on and so on. Maybe it's just me, but I think the user experience will be better it they fix this.

    
    

    2. It would also be wonderful if Microsoft and others can let us to get installed GSA client application from Microsoft store

    
    

    3. The integration with Conditional Access is amazing and is a game changer for all security admins out there. Now you can create extra layers with security on top of they that you already have.

    
    

    4. It's lame that we can't use Internet Access and Private Access features with even E5 licenses and need to purchase extra licenses. This should also be fixed.

    
    

    Have a nice day and week and thank you for reading.