Great Info Jonathan. I see this GSA is no longer in 'Preview' and I would love to see a part 2 update. also a dedicated intro to the VPN setup and config.
Microsoft can't even fix its spam management technology - and we're supposed to believe their cybersecurity apps or services are top-notch. Ya. Good one.
Facebook does it. Apple does it. Amazon does it. TikTok does it. Google does it. Oracle does it. The Authorities pushing data privacy rules while getting more invasive. Todays' age DATA.
It is an interesting concept of doing central policy management of the Windows firewall and/or hosts file via web interface. Perhaps, as you mentioned, welcome for smaller businesses, because we on the large enterprise already do this (using different tools) since before pandemic days. The main drawback I see is the reliance on one single source for everything: if Microsoft makes one accidental change, your entire business is locked out. That is why having different vendors for certain solutions - including on-premises - still helps keeping your business running. Good recap of the tool, though. Kudos!
This is awesome, thanks Jonathon! Any chance you could do a video on Entra Private Access and the way it works with allowing you to access on-prem resources such as file shares and private apps through the global secure access client?
I trust Microsoft as much as I can trust their open source operating system. Especially after Bill Gates stated that he thinks the government should have access to everyone's data.
It’s a completely free world. I’m a content creator. I don’t have any affiliation with Microsoft. If people don’t want to use their products, they don’t have to.
Thank you so much for this video, it is very helpful and easy to understand. I have one quick question. In case the company want to block users from accessing social media, if the users want to bypass the block, can they just disconnect from the GSA client to access? Thank you in advance!
You mentioned your test VM was in InTune for the tenant. Is InTune enrollment required to run Global Secure Access on an endpoint device? Also, how long do you have to wait to see the "All Compliant Network Locations" show up in the locations list when you go to create the new Block policy? thx.
My issue with any video like this is I'm left with no understanding of why this does what it does. Ok, user tries to go to a blocked site... Is the magic done with DNS? Or does DNS resolve ok but routing tables prevent the connection? Or is there something else going on? If the user is using a non-Edge browser, does it still work? What path do the packets take? What source IP address does the website see?
Hi Peter, the aim of my videos is to educate the owners of businesses who aren’t technical but need to understand concepts. I am sure there are other videos on YT that go into the technical elements that you want
This looks cool and I see a lot of benefits, esp if MS includes it with existing Bus Prem. But wow, that' a lot of scattered places to go to setup, manage, and review. And I bet there's no consolidated way to report what's in place for the tenant. Seems like it could easily make for a bit of nightmare to manage.
I am a tier 2 Dynamic 365 technical engineer. its nice to refresh on the other side of the coin . I would assume if you are helping other companies you are a Partner?
I was playing at home and needed one more thing to be mentioned to win the game... My last word on my bingo sheet was 'zero trust'. Given then SSE is all about zero trust, I was disappointed that wasn't uttered even once... Joking aside, our organisation was trying to implement Cloudfare's ZTNA solution. Give Microsoft a few more years and I reckon it'll kill it. The Conditional Access is a killer feature that will make it a compelling sell if you are already heavily embedded in the Microsoft ecosystem.
Hi Jonathan Edwards, Thank you for uploading this video! I implemented your solution at the school where I work to provide safe internet access in our computer lab, and it's working well. However, I noticed that users can easily pause the service by clicking the icon in the taskbar. Could you please advise on how to prevent this?
Not a new technology, just new to Microsoft. This has been done by Zscaler, Palo Alto, Cisco, and VMware for several years now. Cloudflare also does it now. Secure Access Service Edge (SASE) has existed as a VPN replacement for almost 10 years now. This is far from new to the industry.
All goes well until 10:10 in your video, where you are supposed to select "All Compliant Network Locations", but that option hasn't appeared (did everything else up to this part of the video 24 hours ago), and still that option doesn't show up to be able to exclude it
obviously. But why would you encourage your subscribers to volunteer to be part of a scheme which would encrypt the data on your computer so Microsoft can be the only company who is able to sell your data to the data brokers ? Why not encourage people to use an OS with no telemetry ? why not promote the idea of self hosted VPNs ? You are part of the problem @@bearded365guy
how many businesses did you help and fail...are you being serious right now? let MS handle our data? i cant take a guy like you seriously if you suggest lame stuff like that. you obviously do not care about security or privacy at all. how much did they pay you to make this vid?
@@bearded365guy thats always a good answer to an complain. not addressing anything. we all know what MS does, no one wants to use MS to login into their Windows 11. etc and here you suggest no even praise them. if you answer like that we all know now, why you made this video.
Access, firewall and VPN are all three different things. You seem to be conflating and confusing all three. This solution has nothing to do with VPNs and barely has anything to do with firewalls at a specific location. You're just moving content filtering to somewhere else.
Thanks, Jonathan! Did I miss it or can you not have custom messages displayed to the policy subjects? To simply block the access to certain categories/ sites sans note that it violates the company policy will IMHO create more confusion and incidents/ SR’s.
If you ask anyone on planet earth "Who is the biggest online intruder?" Everyone will tell you 2 nsmes "Microsoft and Google". So who will protect us from these two?🤣 Security Paradox
OMG ... no way .... fuck ... I love you man .... but what happend if the user uninstall the program ? ... i want to block for all the network all social media and betting websites .... it will work for shared email accounts ?? ... or only for licensed accounts ?
If i understand correctly Microsoft create a tunnel and has access to pc. If yes this mean Microsoft has access to everything in pc because they don't have any open source to explain what they really do. Really you think this is good?? I use windows and i am not fan Linux or Mac boy,i use everything because of my work.
During my testing even a standard user can pause the client. Surely that will change when the service reaches General Availability? It defeats the purpose of the client entirely if a standard user can pause it. Can anyone else confirm the same results?
Hope you’re right. Like 6 months ago someone from the Entra team told us that when this product comes out of preview it would require an additional license.
Great explainer. I started setting it up after seeing the video - indeed nothing like a VPN, the sergation of different apps and conditional access make this an absolute game changer. However I'm running into tunneling issues, RDP works absolutely great - no issues so the next step was a simple SQL server, two standard SQL ports ; can reach it just fine, studio as well but the moment I plug a real app on it (Accounting app) it can connect there is back and forth communication the only thing we seem to not be getting back are TDS packages - which contain of course the payload, making it effectively not working. I've been looking online as some youtube videos show a client with UDP support (and TDS?) and private DNS.. but official resources I'm unable to find - roadmap, changelog, client status etc. You've got more info? would love to run this instead of a VPN but due to the TDS issue I cannot.
Yes you can. You have to create at least one (MS prefer two) server on prem and that will connect to this. I have tested this to use RDP right away from my laptop to an on prem server
How can we allow users to access network resources e.g shared drives. Also can they still use mittel soft phone while working from home.can they access AX which is onsite and not in the cloud?
@@bearded365guy It would be great to see a video on Private access. I watched the video expecting to see how a VPN works with Conditional access. I presume you have to have some bit software client on your servers, which communicates with Entra ID'S Conditional Access rules. IF this works reliably, I can see that could be a great replacement to awkward to configure and bothersome VPNs
@bearded365guy So question on this. Scenario: Since we have an onsite VPN while utilizing a hybrid environment, all the resources the employee's need to access is on-prem Domain, our VPN connects them to said on-prem domain so they can reach the sources needed. Question: Can this SSE also be utilized the same way? Or is this strictly an "encryption" method of their traffic vs. encrypted traffic between endpoints(from their laptop to our on-prem domain).
@bearded365guy - do you know if Microsoft plan to allow customisable block pages for the web filtering? You would expect that to be the norm for an enterprise scenario to advise users that the site is actually blocked rather than inaccessible (and looking like a generic issue) otherwise it could result in a lot of service desk tickets especially if the policies are introduced without prior notification, as is my experience with many organisations that I’ve dealt with.
hi Jonathan, great vid, thanks. 16mins 55sec in you say it takes some time for the web content filter to apply. how long are we talking? minutes or hours?
Hi Jonathan great video, i am a little confused about the title of this video. I don't see you demonstrating the VPN feature here. Will you domonstrate this in a future video? I think it vwould be great secure method of ditching traditional and sometimes very troublesome VPN's via Conditnal Acess rules
Cracking video and a great insight. A bit put off by the generic blocked access error rather than a defined “Your company has restricted access to…” response. Is this available?
Great infornational video but this is going to be too complicated to setup for the average user. Not everyone has administrator knowledge or experience.
Very good video, congratulations. One question, regarding the web content filtering you showed. If the user disables the global client, would they be able to reach previously blocked websites?
Thanks for demo , I followed your steps but I don't have the option in conditional access--->Conditions--->Locations---> Include , I don't have the option Any Locations , I have the others :All trusted IPs ,trusted Locations , All Compliant Network & selected locations, but no Any Location , did I miss a step?
ty for quick reply , when creating the policy CA09 , You selected the user , then went to Conditions , I don't have "Any Location" as an option in Locations section , I only have All trusted IPs ,All trusted locations , All Compliant Network locations (preview) & Selected Locations , you have when you select Include Any Location , Im missing that option @@bearded365guy
This is my first time seeing your Channel but it sounds like an advertisement from microsoft. I'm not interested. I need a solution that is not platform dependent. Maybe I didn't watch enough of the video or I might have missed something but thanks but no thanks.
I like you video. I have created a CA policy, but I don't show any "Linked Conditional Access polices" in the "Microsoft 365 access profile". Is my CA policy suppose to be showing there?
Okay so it appears things are working like you demonstrated, but the Application Outlook still works\opens when I pause the GAClient. Any thoughts on why it would not be blocked?
Why do I get the feeling that this will be a service that the EU goes after due to it being included with O365, just like Teams was. For any Microsoft focussed business that is managing mainly business assets this seems a far easier solution than the standalone offerings that are out there.
I agree, a VPN with Firewall with App control and some others. The example you present, with blocking social networks, I believe is not a good example of "more than VPN". There is so much work done in a browser these days, including most of the Office docs as well, the protection often comes about basically listing the websites one is allowed (or not allowed) to go to. EntraID or VPN cert for security is a separate question. As for blocking *users* from using social media, I disagree with that. Blocking computers - yes; blocking users - no. People often have 2 mobile phones - one for work, and one for personal needs. I wonder why. If I were to use this solution as a user, I would either do it like you did - I would run the work instance in a VM, or I would have 2 computers. Again it secures the work environment by implementing solutions like that. And it is ok. But there is no way it is going to change the behavior of the people.
Really like the demo, especially the setup, but it kinda misses the point and intended purpose of SSE. SSE is architecturally supposed to create a secure corporate LAN atop an insure/in-securable WAN i.e. the Internet, and thereby returns to the 'secure office infrastructure' of old, but this time communicating together over 'any old network'. Accessing a secure payroll server from a coffee shop would have better demonstrated its purpose. Also, perhaps a follow-video? Microsoft has always heralded its ZTNA as 'secure access to your M365 from anywhere'. Aside from web filtering and broad statements like 'well, it's more secure', what additional value does GSA bring to small businesses?
When I tried implementing this as per the given steps I faced an error in Global Secure Access Client "". When I dig into this error found that the device in which Global Secure Access client required the device to be Microsoft Entra Joined device. Wondering if there is any way around as my users have BYOD and I cannot get their device to Entra Joined.