iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
📑

Exploring the Benefits of Microsoft Entra Suite

に公開
Security
networking
Microsoft Entra
ZTNA
tech

TL;DR

  • Microsoft Entra Private Access and Microsoft Entra Internet Access have been bundled together as the Microsoft Entra Suite, so I'd like to think about what that means.
  • When combined with PIM, I believe it offers a very unique capability to allow access to specific networks for a limited time only after approval via a workflow.
  • While it can be considered based on Microsoft Entra ID P2, a solution that significantly reduces risk can be envisioned when combined with Microsoft Intune provided in Microsoft 365 E3.

Introduction

Microsoft Entra Suite reached GA in July 2024!
Actually, while I was waiting for the GA of the two products, Microsoft Entra Private Access (MEPA) and Microsoft Entra Internet Access (MEIA), they reached GA as a product family called Microsoft Entra Suite, which surprised me a bit.
Since Microsoft Entra Suite is a suite containing multiple products like Microsoft 365 E3 (similar to a "set" at McDonald's), I'd like to think a little bit about why these products are bundled together.

Products included in Microsoft Entra Suite

As mentioned in Microsoft Entra Suite is now generally available (GA) and Microsoft Entra Suite has been GA'ed, Microsoft Entra Suite includes the following products.
I'll also add some notes on the characteristic features included, referring to Microsoft Entra Plans and Pricing | Microsoft Security.

  • Microsoft Entra Private Access
    Provides so-called ZTNA
  • Microsoft Entra Internet Access
    Provides so-called SWG
  • Microsoft Entra ID Governance
    • Machine learning-assisted access certifications and reviews
      Allows you to send out access reviews asking, "Is this permission really still needed?", powered by machine learning.
    • Entitlement management custom extensions (Logic Apps)
      A feature to broadly manage SaaS permissions, which can be automated with low-code using Logic Apps.
    • Lifecycle workflows
      Allows creating workflows for when an employee joins (account creation), changes roles (permission updates), and leaves (disabling and eventually deleting the account).
    • Privileged Identity Management (PIM)
      Described later.
  • Microsoft Entra ID Protection
    • Risk-based conditional access
      Described later.
    • Device and application filters for conditional access
      Described later.
    • Vulnerabilities and risky account detection
      Determines if an account is in a dangerous state.
  • Microsoft Entra Verified ID

Combination with Microsoft Entra ID Governance

Microsoft Entra ID Governance provides features as described in Microsoft Entra ID Governance - Microsoft Entra ID Governance. Among these, Privileged Identity Management (PIM) has high affinity with MEPA and others.

Combination with Privileged Identity Management

PIM essentially provides a workflow for temporarily granting privileged access, but technically it allows temporary permission grants for any role.
Therefore, when combined with MEPA, it is possible to temporarily allow access via a workflow to a specific part of the network—for example, when a high security level is required because it handles personal information. Detailed information can be found in Secure access to private applications with Privileged Identity Management (PIM) and Global Secure Access - Global Secure Access. Also, since emails like "Your weekly PIM digest" are sent periodically, it's easy to keep track of PIM usage.

Combination with Microsoft Entra ID Protection

Microsoft Entra ID Protection provides functions as described in What is Microsoft Entra ID Protection? - Microsoft Entra ID Protection.
As an example, for risk detection, you can use additional conditions such as "User risk" or "Sign-in risk" within the conditions of Conditional Access.
An image of the screen can be found in Risk policies - Microsoft Entra ID Protection, but since it is fully integrated into Conditional Access, it might be difficult to recognize as an individual feature.
For instance, if an ID/password were stolen and a malicious actor were logging in, it's possible to judge the high level of risk based on the usual login location, device type, etc., and deny access or require additional MFA even if the ID/password is correct.

Combination with Microsoft Intune

To be precise, Microsoft Entra Suite is an extension of Microsoft Entra ID P1/P2 and does not include Microsoft Intune, but I will add this as many companies have introduced Microsoft 365 E3.
While Microsoft Intune itself has MDM/MAM capabilities, the key point regarding its combination with the Microsoft Entra Suite is that it allows the use of the "Intune compliant" condition within Conditional Access.

Summary

When we think of Risk = User (literacy) x Network x ID x Device, using the Microsoft Entra Suite allows you to strongly protect the ID and achieve flexible and secure network access founded on that strong ID.
In addition, assuming the introduction of Microsoft 365 E3, Microsoft Intune can also be used, which helps reduce risk on the device side as well.
Convenience and security are often a trade-off, but I feel that MEPA, at least, is a product that achieves the best of both worlds—being convenient and secure.

Well, then all that's left is user literacy, so we come to the part where you could say "please look at MS Learn," but it's quite difficult to get that to stick, isn't it...

Reference

  • Microsoft Entra Suite is now generally available (GA)

    An abridged translation by a member of Microsoft Entra ID support.

https://jpazureid.github.io/blog/azure-active-directory/microsoft-entra-suite-now-generally-available/

  • Microsoft Entra Suite has been GA'ed

    A blog post by someone working as a technical sales representative for security products at Microsoft Japan. The content is likely quite similar; I'm the one coming in second here.

https://zenn.dev/shmatsuy/articles/e79fc90a254505

  • Microsoft Entra Plans and Pricing | Microsoft Security

    The Microsoft Entra Suite pricing table I'm always checking. Finally, Microsoft Entra Suite has started appearing in Japanese. Also, I didn't know that PIM was surprisingly a part of Microsoft Entra ID Governance.

https://www.microsoft.com/security/business/microsoft-entra-pricing

  • What is Microsoft Entra? - Microsoft Entra

    It explains with examples starting with "For example," making it a good way to get a quick overview of each feature.

https://learn.microsoft.com/entra/fundamentals/what-is-entra

  • Microsoft Entra ID Governance - Microsoft Entra ID Governance

https://learn.microsoft.com/entra/id-governance/identity-governance-overview?wt.mc_id=MVP_391314

  • Secure access to private applications with Privileged Identity Management (PIM) and Global Secure Access - Global Secure Access

https://learn.microsoft.com/entra/global-secure-access/how-to-configure-global-access-with-pim?wt.mc_id=MVP_391314

  • What is Microsoft Entra ID Protection? - Microsoft Entra ID Protection

https://learn.microsoft.com/entra/id-protection/overview-identity-protection?wt.mc_id=MVP_391314

  • Risk policies - Microsoft Entra ID Protection

https://learn.microsoft.com/entra/id-protection/howto-identity-protection-configure-risk-policies?wt.mc_id=MVP_391314

  • NEC begins rolling out digital employee IDs combining face recognition and decentralized ID to approximately 20,000 domestic employees, aiming for a future society utilizing "Microsoft Entra Verified ID"

https://customers.microsoft.com/ja-jp/story/1782296450638482451-nec-microsoft-entra-verified-id-professional-services-ja-japan

Update log

  • Added link to the Microsoft Entra overview page - 2024/08/09

Discussion