Enable & manage Global Secure Access for Microsoft 365 Apps on Android

-
 
With ever so changing IT landscape of how businesses operate now, the concept of work from anywhere is now the new reality. This is resulting in applications and data moving into the cloud, thus giving rise to the need for an identity-aware, cloud-delivered network perimeter for the modern workforce. To address this new requirement, Microsoft has released Global Secure Access, which is Microsoft's own Security Service Edge (SSE) solution. 

What is Global Secure Access?

Note: At the time of writing this blog, Global Secure Access is still in Preview.

Global Secure Access is the unified location in the Microsoft Entra admin center which comprises of both Microsoft Entra Internet Access and Microsoft Entra Private Access as part of Microsoft's Security Service Edge solution. It is built upon the core principles of Zero Trust to use least privilege, verify explicitly, and assume breach.

a. Microsoft Entra Internet Access

Microsoft Entra Internet Access secures access to Microsoft 365, SaaS, and public internet apps while protecting users, devices, and data against internet threats.

Key features are - 

- Prevent stolen tokens from being replayed with the compliant network check in Conditional Access.
- Apply universal tenant restrictions to prevent data exfiltration to other tenants or personal accounts including anonymous access.
- Enriched logs with network and device signals currently supported for SharePoint Online traffic.
- Improve the precision of risk assessments on users, locations, and devices.
- Deploy side-by-side with third party SSE solutions.
- Acquire network traffic from the desktop client or from a remote network, such as a branch location.
- Dedicated public internet traffic forwarding profile.
- Protect user access to the public internet while leveraging Microsoft's cloud-delivered, identity-aware SWG solution.
- Enable web content filtering to regulate access to websites based on their content categories and domain names.
- Apply universal Conditional Access policies for all internet destinations, even if not federated with Microsoft Entra ID, through integration with Conditional Access session controls.

b. Microsoft Entra Private Access

Microsoft Entra Private Access provides your users - whether in an office or working remotely - secured access to your private, corporate resources.

Key features are -

- Quick Access: Zero Trust based access to a range of IP addresses and/or FQDNs without requiring a legacy VPN.
- Per-app access for TCP apps (UDP support in development).
- Modernize legacy app authentication with deep Conditional Access integration.
- Provide a seamless end-user experience by acquiring network traffic from the desktop client and deploying side-by-side with your existing third-party SSE solutions.

In this blog, I will be covering the feature Microsoft Entra Internet Access to secure access to Microsoft 365 Apps on Android OS end user platform.

At a high-level, following steps need to be performed -

1. Activate Global Secure Access in the tenant. 
2. Enable a traffic forwarding profile. (In this blog I will enable Microsoft 365 traffic forwarding profile.)
3. Install and configure the Global Secure Access Client on end-user devices.

Enable Global Secure Access in the tenant

There are some pre-requisites for enabling Global Secure Access in the tenant.

- Global Secure Access Administrator, Security Administrator, Global Administrator roles can be used to activate Global Secure Access preview features. Note: It is recommended to activate these Entra roles using Privileged Identity Management (PIM).

- The preview requires a Microsoft Entra ID P1 license. 
- To use the Microsoft 365 traffic forwarding profile, a Microsoft 365 E3 license is recommended. After general availability, Microsoft Entra Private Access and Microsoft Entra Internet Access might require different licenses.

To activate, follow the steps below - 

2. Go to Global Secure Access > Connect > Traffic Forwarding and activate as shown below.



Once Global Secure Access is enabled on the tenant, move on to the next step of creating a Microsoft 365 Apps traffic forwarding profile.

Microsoft 365 traffic forwarding profile

With the traffic forwarding profiles in Global Secure Access, you can apply policies to the network traffic that your organization needs to secure and manage. Network traffic is evaluated against the traffic forwarding policies you configure, in this case the Microsoft 365 profile. It manages the following policy groups:

- Exchange Online
- SharePoint Online and OneDrive for Business
- Microsoft 365 Common and Office Online (only Microsoft Entra ID and Microsoft Graph)

To enable, follow the steps below - 

1. Sign in to the Microsoft Entra admin center.
2. Browse to Global Secure Access > Connect > Traffic forwarding.
3. Select the checkbox for Microsoft 365 access profile.



4. To manage the details included in the Microsoft 365 traffic forwarding policy, select the View link for Microsoft 365 traffic policies. Here you can make changes to the policy actions if needed. I am going with the defaults.



Global Secure Access Client for Android

Note: At the time of writing this blog, Global Secure Access Client for Android is in Preview.

The Global Secure Access Client can be deployed to compliant Android devices using Microsoft Intune and Microsoft Defender for Endpoint on Android. The Android client is built into the Defender for Endpoint Android app, which streamlines how your end users connect to Global Secure Access. 

Global Secure Access Client for Android supports deployment for the legacy Device Administrator and Android Enterprise scenarios. The following Android Enterprise scenarios are supported:

- Corporate-owned, fully managed user devices
- Corporate-owned devices with a work profile
- Personally-owned devices with a work profile (Covered in the Blog)

I am not covering the steps involved in enrolling  a device and pushing the MDE mobile app in this blog. I blogged about this earlier and you can refer to the steps under Defender for Endpoint onboarding for Android using Intune.

End User & Admin Experience

Once the MDE app is automatically installed in the work profile during the next sync of the device via the Company Portal app. After onboarding to Global Secure Access - by enabling a traffic forwarding profile - the client appears in the Defender dashboard. 


The client is disabled by default and the end user needs to enable it manually. When enabled and working properly, the client displays an "Enabled" message. The date and time for when the client connected to Global Secure Access also appears.

 


On the use Microsoft 365 apps installed and when accessed using organization's identity, the network traffic under Microsoft Entra Internet Access services will be captured in the Global Secure Access network traffic dashboard. The dashboard compiles the data from the network configurations, including devices, users, and tenants into several widgets spanning across active devices, most used applications and users accessing the network.



For detailed information, network traffic logs are also captured which can be used for richer insights and analyzes.



Final thoughts..

With the introduction of the SSE solution, Internet Access and Private Access, organizations are now able to secure access with a unified, identity-centric approach to any application, resource, or destination, using user identity, device compliance, application, and network compliance as conditions. This is an easy way to unify and centralize all your access policies and strengthen them with continuous access evaluation. I am excited to try out rest of the features under SSE and will be covering them in details in the days to come. Look out for this space. :-)

Until next time...

References:

What is Global Secure Access (preview)? - Global Secure Access | Microsoft Learn

Global Secure Access (preview) traffic forwarding profiles - Global Secure Access | Microsoft Learn

The Global Secure Access Client for Android (preview) - Global Secure Access | Microsoft Learn

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Intune: UAC Elevation Prompt Behavior for Standard Users

-
Image
Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process. Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you. Let us see what all is involved and some of the ways that you can use to implement this easily. Policy CSP – LocalPoliciesSecurityOptions LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is U
Read more