New Microsoft Entra Suite

Mechanics Team
9 min readJul 18, 2024

--

Get a unified solution for secure access management, identity verification, and Zero Trust security for cloud and on-premises resources. The new Microsoft Entra suite integrates five capabilities: Private Access, Internet Access, ID Protection, ID Governance, and Face Check in Verified ID Premium, included with Microsoft Entra Suite. With these, you can streamline user onboarding, enhance security with automated workflows, and protect against threats using Conditional Access policies. See how to reduce security gaps, block lateral attacks, and replace legacy VPNs, ensuring efficient and secure access to necessary resources.

Jarred Boone, Identity Security Senior Product Manager, shares how to experience advanced security and management with Microsoft Entra Suite.

Get a unified experience.

Secure access for any employee, from anywhere, to any app, AI, or resource. Get started with the Microsoft Entra Suite.

Streamline the onboarding process.

Verify users, prevent overprivileged permissions, improve detections, and enforce granular access controls for all users and resources. See the new Microsoft Entra Suite.

Establish policies to dynamically adjust.

Improve the hybrid workforce experience with seamless access to any resource. Check out the new Microsoft Entra Suite.

Check out our video here:

QUICK LINKS:

00:00 — Unified solution with Microsoft Entra Suite
00:38 — Microsoft Entra Private Access
01:39 — Microsoft Entra Internet Access
02:42 — Microsoft Entra ID Protection
03:31 — Microsoft Entra ID Governance
04:18 — Face Check in Verified ID Premium, included with Microsoft Entra Suite
04:52 — How core capabilities work with onboarding process
06:08 — Protect access to resources
07:22 — Control access to internet endpoints
08:05 — Establish policies to dynamically adjust
08:45 — Wrap up

Link References

Try it out at https://entra.microsoft.com

Watch our related deep dives at https://aka.ms/EntraSuitePlaylist

Check out https://aka.ms/EntraSuiteDocs

Unfamiliar with Microsoft Mechanics?

As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

Keep getting this insider knowledge, join us on social:

Video Transcript:

-The new Microsoft Entra Suite goes beyond what you may have today to advance secure access management, protect and verify any identity, and enforce a Zero Trust security approach for your cloud and on-premises resources. In fact, if you’re using multiple siloed tools to do this today, integration gaps can increase your security exposure.

-Whereas Microsoft Entra Suite provides a unified solution to strengthen your security posture, by providing you with five key capabilities. Private Access, Internet Access, ID Protection, ID Governance, and Face Check with Verified ID. These work with your existing processes, and I’ll first explain how each works, and demonstrate them in action. Starting with Microsoft Entra Private Access.

-This capability is designed to improve protections for on-premises apps and resources without any code changes. It works together with Conditional Access policies so that as resources are being accessed, Private Access uses identity, device, and application signals to assess risk in real-time. And it will then apply additional network conditions to increase access protections to any app resource, including file shares or on-premises servers.

-This identity-centric Zero Trust network access approach goes beyond which you can do today with traditional VPNs. In fact, it helps block lateral attack movement, reduces the risk of over-permissioning, and replaces legacy VPNs. And it works by using a locally installed global secure access agent on your user’s managed device.

-Then in your local network, you’ll install a private network connector as an agent to handle traffic, which only uses outbound connections. And these work together to securely establish the connection between the user and the private resource.

-Second, Microsoft Entra Internet Access is designed to prevent end user access to unsafe and non-compliant content. To keep your users and devices safe from internet threats, here we protect them against malicious traffic using cloud delivered network security controls. Including web content filtering, based off Microsoft maintained categories, as well as endpoints that you can define as an admin.

-And soon we’ll add threat intelligence filtering to also protect against continuously evolving known threats. This also provides fast and seamless access through a globally distributed secure network edge, and private WAN to optimize traffic routing to internet destinations.

-And importantly, it extends Conditional Access adaptive controls to internet security, where each access temp is assessed in real-time across identity, device, location, and risk signals to protect any internet destination. This way, you now have a single policy engine across cloud apps and internet endpoints. And both Internet Access, as well as Private Access, have a deep integration with ID Protection and ID Governance to automate what’s in scope, which we’ll cover next.

-In fact, our third capability, Microsoft Entra ID Protection, provides foundational risk-based Conditional Access and multi-factor authentication services for detecting and remediating identity risks. Machine learning is used to identify compromised or malicious user accounts, and automates action to mitigate these threats.

-Using Conditional Access adaptive controls, you can ensure users and devices meet predefined conditions prior to granting access to any resource. Conditional Access assesses sign-in risks to look for anomalous single events.

-And user risk assesses sign-in trends over time to determine if an account has potentially been compromised. And with token protection, tokens are bound to the issued device, which means if stolen, they cannot be replayed on another device. ID Protection also works with hybrid identities when you integrate it with your on-premises Active Directory Services.

-Then our fourth capability, Microsoft Entra ID Governance, lets you balance security and productivity by ensuring that the right people have the right access to the right resources for the right amount of time. For example, for everyday users, you can ensure just enough access is granted so that users can only access what they need, and nothing more, to get their jobs done.

-Also, identity lifecycle management in Microsoft Entra lets you use workflow automation for provisioning your managed apps, data, and services, even those on premise. And you can couple that with additional steps, like procurement of computer hardware and more. And this is done together with entitlement management to select just the right resources and apps to prevent over-permissioning.

-Equally, the same lifecycle automation lets you grant access to people as they change roles, or remove access as employees leave your organization. Which brings us to our fifth capability, Face Check with Verified ID.

-This works together with ID Protection and ID Governance controls to accelerate and protect user onboarding. It’s a part of the Verified ID platform in Microsoft Entra. As a decentralized identity solution, it lets users verify credentials together with those from third party issuers, and prove they are who they say they are, without manual checks.

-Along with your government issued ID, face check with the Authenticator app can use the local device camera as a live motion image feed to ensure the person presenting that verified ID is in fact who they claim to be. So now that I’ve explained the five core capabilities of Microsoft Entra Suite, let me demonstrate them working together in action across everyday connected scenarios.

-Let’s start with the user onboarding process after the initial setup. In this example, our user account is only provisioned in our HR app, Workday. If we look at the user profile in Microsoft Entra, we can see all the attributes were automatically mapped from Workday, including the user’s hire date.

-The problem is that even though the account is in the directory service, the user does not yet have access to all resources needed to do their job. And this is where you can use lifecycle workflows as a part of ID Governance. Based on user attributes, like their department and location, I’ve created a simple automated workflow here.

-First, it will send a welcome email. Then the next task automatically assigns the user to the right group with the right software licenses, access to required on-premise and cloud-based apps, permission to sites in SharePoint. And even controls to govern access to internet endpoints.

-Finally, this custom task extension works with our ticketing system to procure the required computer hardware for this role. Workflows like these automatically detect accounts with matching conditions to automate defined tasks, saving you and your users time while right sizing and securing access to both cloud-based and on-premises apps and resources.

-In fact, with accounts onboarded and access to resources assigned, let’s move on to how Microsoft Entra Suite protects access to resources, first on your private network. Here, I’m shown an enrolled device with Global Secure Access client installed. I’ll paste the legacy on-premises hosted app address into my browser.

-And as you might expect, I can reach the site seamlessly, because this is a trusted device, I’m a trusted user, and I’m in a trusted sign in location on a trusted internal wifi network. This time, I’ll show you how this works on the same device, except using a different wifi network. I’ll change my connection in settings to Fourth Coffee Free Wifi, then move back to the browser.

-When I paste in the URL for the app we saw before, Conditional Access recognizes the changes of network location, and determines that there is additional risk with an untrusted network, asking me to re-authenticate. In this case, the policy is configured to allow me to prove my identity using passwordless authentication.

-Then I get access to the private app. Then beyond internally hosted apps, this also works for accessing other on-premise resources, like domain joined virtual machines running on local servers, or accessing on-premise file shares protected using Kerberos authentication.

-And both of these even work from non domain joined devices, and without a VPN. Additionally, Microsoft Entra Internet Access combines multiple Microsoft Entra Suite capabilities as you control access to internet endpoints.

-As an admin, you can create web content filtering policies for web categories and FQDNs. For example, you can block social networking like X, but allow professional networking sites like LinkedIn. This works with your Conditional Access policies as you scope users or groups, and optionally define exclusions.

-Importantly, these policies also work hand in hand with ID Governance, so that you can automate who is added or removed from policy scope as they enter, move within, or leave the organization. So as a user scope for this policy, access to X in our case will be blocked, but if they go to LinkedIn, you’ll see that it’s allowed.

-Additionally, you can establish policies that dynamically adjust based on changing risk levels, which is a lot smarter than firewall rules that you may have traditionally set. In the Conditional Access policy, an identity flag with high user risk usually indicates that the account has been compromised.

-Over time, they may have performed multiple risk activities, such as suspicious API calls or sending patterns. If you pair this condition with web filtering controls, like limiting access to web repository and storage sites, once an identity and scope for the policy is flagged with high user risk, you can block the user account from accessing those sites.

-And access will automatically get restored when the user risk signal changes and drops below a certain level. So that’s how Microsoft Entra Suite goes beyond what you may have today to unify and advance secure access management, protect and verify any identity, and enforce a Zero Trust security approach for your cloud and on-premises resources.

-Try it out today at entra.microsoft.com, and watch our related deep dives at ak.ms/EntraSuitePlaylist. Also, to learn more, check out ak.ms/EntraSuiteDocs. Subscribe to Microsoft Mechanics for the latest tech updates, and thanks for watching.

--

--