Enable & manage Global Secure Access for Microsoft 365 Apps on Android

With ever so changing IT landscape of how businesses operate now, the concept of work from anywhere is now the new reality. This is resulting in applications and data moving into the cloud, thus giving rise to the need for an identity-aware, cloud-delivered network perimeter for the modern workforce. To address this new requirement, Microsoft has released Global Secure Access, which is Microsoft's own Security Service Edge (SSE) solution. 

What is Global Secure Access?

Note: At the time of writing this blog, Global Secure Access is still in Preview.

Global Secure Access is the unified location in the Microsoft Entra admin center which comprises of both Microsoft Entra Internet Access and Microsoft Entra Private Access as part of Microsoft's Security Service Edge solution. It is built upon the core principles of Zero Trust to use least privilege, verify explicitly, and assume breach.

a. Microsoft Entra Internet Access

Microsoft Entra Internet Access secures access to Microsoft 365, SaaS, and public internet apps while protecting users, devices, and data against internet threats.

Key features are - 

- Prevent stolen tokens from being replayed with the compliant network check in Conditional Access.
- Apply universal tenant restrictions to prevent data exfiltration to other tenants or personal accounts including anonymous access.
- Enriched logs with network and device signals currently supported for SharePoint Online traffic.
- Improve the precision of risk assessments on users, locations, and devices.
- Deploy side-by-side with third party SSE solutions.
- Acquire network traffic from the desktop client or from a remote network, such as a branch location.
- Dedicated public internet traffic forwarding profile.
- Protect user access to the public internet while leveraging Microsoft's cloud-delivered, identity-aware SWG solution.
- Enable web content filtering to regulate access to websites based on their content categories and domain names.
- Apply universal Conditional Access policies for all internet destinations, even if not federated with Microsoft Entra ID, through integration with Conditional Access session controls.

b. Microsoft Entra Private Access

Microsoft Entra Private Access provides your users - whether in an office or working remotely - secured access to your private, corporate resources.

Key features are -

- Quick Access: Zero Trust based access to a range of IP addresses and/or FQDNs without requiring a legacy VPN.
- Per-app access for TCP apps (UDP support in development).
- Modernize legacy app authentication with deep Conditional Access integration.
- Provide a seamless end-user experience by acquiring network traffic from the desktop client and deploying side-by-side with your existing third-party SSE solutions.

In this blog, I will be covering the feature Microsoft Entra Internet Access to secure access to Microsoft 365 Apps on Android OS end user platform.

At a high-level, following steps need to be performed -

1. Activate Global Secure Access in the tenant. 
2. Enable a traffic forwarding profile. (In this blog I will enable Microsoft 365 traffic forwarding profile.)
3. Install and configure the Global Secure Access Client on end-user devices.

Enable Global Secure Access in the tenant

There are some pre-requisites for enabling Global Secure Access in the tenant.

- Global Secure Access Administrator, Security Administrator, Global Administrator roles can be used to activate Global Secure Access preview features. Note: It is recommended to activate these Entra roles using Privileged Identity Management (PIM).

- The preview requires a Microsoft Entra ID P1 license. 
- To use the Microsoft 365 traffic forwarding profile, a Microsoft 365 E3 license is recommended. After general availability, Microsoft Entra Private Access and Microsoft Entra Internet Access might require different licenses.

To activate, follow the steps below - 

2. Go to Global Secure Access > Connect > Traffic Forwarding and activate as shown below.

Once Global Secure Access is enabled on the tenant, move on to the next step of creating a Microsoft 365 Apps traffic forwarding profile.

Microsoft 365 traffic forwarding profile

With the traffic forwarding profiles in Global Secure Access, you can apply policies to the network traffic that your organization needs to secure and manage. Network traffic is evaluated against the traffic forwarding policies you configure, in this case the Microsoft 365 profile. It manages the following policy groups:

- Exchange Online
- SharePoint Online and OneDrive for Business
- Microsoft 365 Common and Office Online (only Microsoft Entra ID and Microsoft Graph)

To enable, follow the steps below - 

1. Sign in to the Microsoft Entra admin center.
2. Browse to Global Secure Access > Connect > Traffic forwarding.
3. Select the checkbox for Microsoft 365 access profile.

4. To manage the details included in the Microsoft 365 traffic forwarding policy, select the View link for Microsoft 365 traffic policies. Here you can make changes to the policy actions if needed. I am going with the defaults.

Global Secure Access Client for Android

Note: At the time of writing this blog, Global Secure Access Client for Android is in Preview.

The Global Secure Access Client can be deployed to compliant Android devices using Microsoft Intune and Microsoft Defender for Endpoint on Android. The Android client is built into the Defender for Endpoint Android app, which streamlines how your end users connect to Global Secure Access. 

Global Secure Access Client for Android supports deployment for the legacy Device Administrator and Android Enterprise scenarios. The following Android Enterprise scenarios are supported:

- Corporate-owned, fully managed user devices
- Corporate-owned devices with a work profile
- Personally-owned devices with a work profile (Covered in the Blog)

I am not covering the steps involved in enrolling  a device and pushing the MDE mobile app in this blog. I blogged about this earlier and you can refer to the steps under Defender for Endpoint onboarding for Android using Intune.

End User & Admin Experience

Once the MDE app is automatically installed in the work profile during the next sync of the device via the Company Portal app. After onboarding to Global Secure Access - by enabling a traffic forwarding profile - the client appears in the Defender dashboard. 

The client is disabled by default and the end user needs to enable it manually. When enabled and working properly, the client displays an "Enabled" message. The date and time for when the client connected to Global Secure Access also appears.

On the use Microsoft 365 apps installed and when accessed using organization's identity, the network traffic under Microsoft Entra Internet Access services will be captured in the Global Secure Access network traffic dashboard. The dashboard compiles the data from the network configurations, including devices, users, and tenants into several widgets spanning across active devices, most used applications and users accessing the network.

For detailed information, network traffic logs are also captured which can be used for richer insights and analyzes.

Final thoughts..

With the introduction of the SSE solution, Internet Access and Private Access, organizations are now able to secure access with a unified, identity-centric approach to any application, resource, or destination, using user identity, device compliance, application, and network compliance as conditions. This is an easy way to unify and centralize all your access policies and strengthen them with continuous access evaluation. I am excited to try out rest of the features under SSE and will be covering them in details in the days to come. Look out for this space. :-)

Until next time...



Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Intune: Configure Printers for Non-Administrative Users

How to Whitelist apps using Applocker in Intune