Microsoft Melds Identity & SSE With Entra SuiteMicrosoft Melds Identity & SSE With Entra Suite

Microsoft has begun delivering on an enterprising plan to provide unified conditional access to enterprise and software-as-a-service (SaaS) resources, releasing network-based security service edge (SSE) offerings that have been integrated into its flagship Entra Identity portfolio.

The new Microsoft Azure-based SSE offerings, which provide perimeterless secure access to cloud and enterprise applications, became commercially available today as core components of what the tech giant has dubbed the Entra Suite.

Specifically, the Entra Suite SSE offerings include Entra Internet Access, which provides secure access to SaaS-based applications, and Entra Private Access, designed to replace virtual private networks (VPNs) with more granular access to enterprise resources. Both use Entra ID's (formerly Azure AD) least-privilege access policies.

The Entra Suite also integrates Entra Identity with network security controls to provide what Microsoft calls a "front door perimeter." It includes Microsoft's new Entra Identity Governance, Entra Verified ID, and Entra Identity Protection offerings, including the recently launched Face Check.

Entra Internet Access & Private Access: The Details

Entra Internet Access is a secure Web gateway (SWG) that provides secure access to SaaS applications, including Microsoft 365 apps. According to Microsoft, Entra Internet Access combines conditional access policies with network conditions, which can defend against malicious traffic and threats.

Specific to Microsoft 365 applications, Entra Intranet Access offers Universal Tenant Restrictions, which Microsoft says will prevent data exfiltration to other tenants or personal accounts.

Microsoft's Entra Private Access provides secure access to enterprise applications regardless of where the application is hosted. It enables attribute-based conditional access policies, which lets administrators create policies based on risks and conditions, such as device compliance, location, and sensitivity of data.

Joy Chik, Microsoft's president of identity and network access, says that with Entra Suite, all of the components, including Entra ID Governance, Entra ID Protection, and Entra Verified ID, are integrated with conditional access.

"Everything is under the Entra administration experience," she says. "All the policy settings, everything is a fully integrated end-to-end scenario."

Streamlining: A Unified Approach to Conditional Access

Microsoft believes that enterprise security teams want to rely on one provider for identity and secure network access so they can all share the same policies and conditions.

"It will help us unify conditional access, which is the security policy engine for doing secure access, with both the identity signals and network signals together," Chik says. "Customers are longing for the capability to integrate identity and network signals together into one place with Entra conditional access."

During a briefing last year that previewed today's launches, Chik made the case for Microsoft's one-stop approach to integrating identity into the mix.

"Neither identity nor network security controls alone can protect all access points," she says. "But if you're using disconnected tools, some of the critical integration points can be missed. Skilled adversaries often exploit seams between solutions."

One Suite to Rule Them All?

The jury is still out on how many organizations will embrace Microsoft's approach of converging their identity and network access platforms, says Forrester principal analyst Geoff Cairns. Even if they do, it remains to be seen whether they will fall in line behind Microsoft's suite approach.

"I've been talking with clients, grappling with whether or not to put all their identity access management [IAM] security infrastructure eggs in the Microsoft Entra basket given the concentration risk," he says, referring to the idea that having the proverbial "single throat to choke" in order to subvert the whole system could be risky.

Cairns anticipates that those most likely to make that move will be organizations that have embraced Microsoft-centric environments already and are in the process of modernizing their security stacks.

"Scale and complexity of the organization and its IT environment will be a critical decision factor," he says.

According to Omdia senior analyst Don Tait, the convergence of IAM and network security may be inevitable over time.

"I definitely think that network security, while it remains critically important overall, must now move aside as identity security comes to the fore," Tait says. "Note, for instance, the growing importance of IDR/ITDR [intrusion detection and response/identity threat detection and response] technology in this context."

It should be noted that Entra won't be all-Microsoft, all the time, for long: Later this year, Microsoft will reveal plans to partner with third-party network and SSE providers, Chik says. Among the leading SSE providers are Cisco, Cloudflare, Netskope, Palo Alto Networks, and Zscaler.