Very good. I set up Internet Access and blocked Social Media etc. It blocked most sites but not Facebook to my surprise! I then investigated and found that Facebook uses QUIC protocol, which is UDP based. As GSA not yet support UDP, that traffic was let through. It will be there in a future version of the client, but for now this may be good to know.. 🍺🍺 EDIT: Now it seems to also stop Facebook with the new version of the Client. Cheers!
I would never use a VPN which just an aggregate for all your traffic and a target by governments and hackers. Most websites nowadays are already encrypted via HTTS so it's just redundant encryption by a VPN. But hey, to each their own.
Love your greeting - reminds me so much of our priest - I mean that in a complimentary manner, he also has such a cheerful, pleasant manner of greeting.
We are a small (10k user) municipality with E5 licenses on our main users. We are seeing that Microsoft are finding more and more "special" and "premium" licenses, and I can guarantee that our politicians never will agree to these. So, will these features be available to our existing clients? Microsoft, you do not have a great track record for these exciting changes to be available for existing users/licences. In my opinion, our (really expensive) E5 licences are buried down to E3 level over the years. Soon to come close to E1.
I've been trailing the GSAC / Zero trust for a little while now and really liking it. Much more stable than trying to deploy out AOVPN and much finer access controls too.
Should GSA appear automatically within the defender app on iOS? I was not able to find Microsoft documentation about the iOS client setup - only Windows and Android is available.
Hello and happy new year, If I understand well, the file server was installed in Windows Server On-Premise machine, the device to access this file server is not domain joined but only AzureAD join. My question is: how did you manage NTFS permission for AzureAD user to access to the different shares ? Did you need to enable security group writeback to get the group on your On Premise Active Directory and assign it on the share and give the appropriate NTFS permission or there is another way to do it please ? Regards.
Interesting question. In relation to NTFS, whatever permissions you set locally, will waterfall downwards. Group Writeback only works if you have hybrid enter ID, and in this case is unnecessary. This is yet another layer that Microsoft are adding into it in tune technologies that will make the need for active directory, unnecessary
Microsoft have never stolen anything before.. Not even Javascript, I mean Microsoft Jscript was something completely different, and that it got the same bugs as the original javascript must just be a coincidence.
We currently use Cisco VPN - just to confirm that GSA could replace that and we would still have same or similar access levels to on premise resources such as file shares, etc.? I guess we will find out really soon as my network engineer wants to setup GSA as a proof of concept.
At the moment I have not personally played a lot with this product. And as you can see it’s currently in public preview so pricing and availability have not yet been confirmed. I apologise that I can’t give you a more definite answer.
And the second he mentioned Entra I thought "Nah, VPN is not going anywhere" ... I get it, it is probably a great solution, but boldly claim VPN is done for is just wrong. Not everyone uses Entra, especially private home users. And what happens the day Microsoft has a hickup? Cannot access my own on-prem environment. I rather not put all my eggs in the same basket.
Price: Money AND your Privat Datas free to MS including all your picture datas they will say its in the name of fighting crime/criminals but i tell you its not they are not the police.
This. Need to have pricing when demonstrating products. Can’t assess value of technology unless the costs are known. Demonstrating without pricing might generate awareness but really is a waste of time when we try our best to be informed buyers. We have similar SSE solutions from Palo Alto. We have E5 and MDE and MDfCA. I’m renewing my Palo Alto solutions.
There is still a domain on premises with DCs for the domain joined servers like we showed with the fileshare and Hyper-V server. The user's device however doesn't need to be domain joined or hybrid joined for this to work. It's issued the tickets needed after the conditional access challenge by the Private Access cloud service with gateway connector in place.
@@DeployJeremy is this already working, because I'm testing from a EntraID Joined system to connect to SMB file share, but seems to be not receiving Kerberos ticket at this moment, access denied... Is it also working in combination with Windows Hello for Business? At this moment I receive a popup with Windows Hello PIN, after that access denied to fileshare... I see in logging it's trying to connect with the fileshare.... Or do I have to wait for future release?
@@martinzonderland1543 It is already possible, but needs to be documented for implementation as it moves toward general availability. Documentation is in the works now, but no ETA yet for publishing.
When are our Server Licenses going to be less expensive to renew SA on, now that they're removing any doubts in our minds that ANY R&D is happening in on premises software? RRAS is dead. But we still pay for it, along with all the other software they've pushed new versions of to the cloud (Azure Files replacing DFS-R, etc) - it's extremely annoying paying them boatloads for SA when they're not actually providing what they did when we bought Server originally.
@@AndyMaloneMVP probably because there won't be. Why would they drop pricing that enterprises currently pay without a second thought in their Enterprise Agreement renewals, PLUS continue to add more opex 🤣 It's just really unfortunate that what we once got for licensing is now less. Imho, things like paying for System Center should get you Azure credits as well, especially if it's like getting access to this sort of technology. It's an extension of the product set.
How does check address work if you are on the road a lot? Looks like way too much effort. It’s clear Microsoft just wants everyone on their cloud platform. I would do anything to avoid this if given a choice.
@@AndyMaloneMVP I appreciate this, but having everything in the cloud although makes life easier, it also locks you in pretty badly, and often charges go up, I personally would limit cloud services where possible. I was thinking more about sales reps, consultants etc who travel a bit.
Does it support the management tunnel when the user is not logged in to the window ? That was the limitation on direct access where we cant remote manage laptops when the users are away
I use VPN for hiding IP in foreign countries as I travel most of the year. VPN under pressure with TV corps blocking software to prevent viewing, unstable. Frustrating. How could this replace my nerd for VPN, simple basic nerd I am done with VPN imstability
You mean that you use some commercial VPN service that is well-known and blocked by streaming services? You can run your own VPN service at home so that you have access to all your local things on your network and then nobody in the world can tell that you're not home. They won't be able to block you, because from a technical point of view, you are home.
Hmm. An app on-prem protected by a conditional access policy… a web app in this case no less. Sounds an awful lot like application proxy… what’s the upside to using that here?
Very good. I set up Internet Access and blocked Social Media etc. It blocked most sites but not Facebook to my surprise! I then investigated and found that Facebook uses QUIC protocol, which is UDP based. As GSA not yet support UDP, that traffic was let through. It will be there in a future version of the client, but for now this may be good to know.. 🍺🍺
EDIT: Now it seems to also stop Facebook with the new version of the Client. Cheers!
I would never use a VPN which just an aggregate for all your traffic and a target by governments and hackers. Most websites nowadays are already encrypted via HTTS so it's just redundant encryption by a VPN. But hey, to each their own.
@@BillAnt I think you have misunderstood the product. It's not there for encryption of traffic. It's there for filtering and control of it.
Great Job! Thank you Jeremy and Andy ~ 😘
Thanks Andy! This was awesome!! Also I always love the intro music!
IDk, this is complicated and does it really do anything for me that I'm not already doing.. idk.. Thanks and please keep them coming :-)
Love your greeting - reminds me so much of our priest - I mean that in a complimentary manner, he also has such a cheerful, pleasant manner of greeting.
😂🤣 Hehe no one has ever said that before. I’m delighted to have you on board 👍🙂
Great video, It was hard to follow in a few spots, but I think I understand the major points.
We are a small (10k user) municipality with E5 licenses on our main users.
We are seeing that Microsoft are finding more and more "special" and "premium" licenses, and I can guarantee that our politicians never will agree to these.
So, will these features be available to our existing clients?
Microsoft, you do not have a great track record for these exciting changes to be available for existing users/licences.
In my opinion, our (really expensive) E5 licences are buried down to E3 level over the years. Soon to come close to E1.
Seems to me this gives even more access to your info than Microsoft already has and IMO that's too much knowledge.
OK, thanks.
Without a VPN, China blocks this site so I think I will stick with what I know works:-)
It's an interesting point you make. This kind of service gives MS and similar players much insight into how companies govern their employees.
@@johnwade7430no thank you
If you don't trust your service provider, change provider or run your own service. Easy.
I've been trailing the GSAC / Zero trust for a little while now and really liking it. Much more stable than trying to deploy out AOVPN and much finer access controls too.
AOV has always been pretty rocky for us... looking forward to trying this out!
Really cool stuff !
Great content, thank you. Philippines
I'd love to hear more about DC-less Entra-authed SMB.
Well done.
Should GSA appear automatically within the defender app on iOS? I was not able to find Microsoft documentation about the iOS client setup - only Windows and Android is available.
Still in preview so some features may not be 100%
Awesome content Andy! Plus I really appreciate and love the production of the video, it's looking amazing!
@andymalonemvp
What did the speaker, Jeremy use as a Webcam/DSLR/phone, he looks like he was in real.
so this tunnels the traffic over my wifi connection like a VPN would?
Great that it's built into the defender app for mobile. Trouble is it consumes so much battery life as it is now.
It's a mouth full!
I agree
Very interesting. How does it work though with file shares that are controlled through on-prem AD groups if there's no on-prem domain auth?
seamlessly
Hello and happy new year,
If I understand well, the file server was installed in Windows Server On-Premise machine, the device to access this file server is not domain joined but only AzureAD join.
My question is: how did you manage NTFS permission for AzureAD user to access to the different shares ? Did you need to enable security group writeback to get the group on your On Premise Active Directory and assign it on the share and give the appropriate NTFS permission or there is another way to do it please ?
Regards.
Interesting question. In relation to NTFS, whatever permissions you set locally, will waterfall downwards. Group Writeback only works if you have hybrid enter ID, and in this case is unnecessary. This is yet another layer that Microsoft are adding into it in tune technologies that will make the need for active directory, unnecessary
I wish Microsoft could team up with Google and save my privacy and security once for all. 🤣
You'd think eh :-)
wishfull thinking. Do you have an eternity?
Absolute power corrupts absolutely, lord Acton
Microsoft and secure in the same sentence. Pffft.
Lol I thought the same thing, so many wierd servers that Windows connects to and do something.. thats why I moved over to Linux now.
Exactly my thoughts. 👍
Haha NOT!
I wouldn't trust Microsoft with anything
Yep. They got over that problem and for the past few years have been making some of the most secure and well integrated prods.
@@dimitriyates2701 and that is why hijacking 365 accounts is popular.
This is a pretty close copy of Twingate. Even called the elements of the technology the same names.
Microsoft have never stolen anything before.. Not even Javascript, I mean Microsoft Jscript was something completely different, and that it got the same bugs as the original javascript must just be a coincidence.
I was going to say the same thing. "Where have I seeen that before". Microsoft is a copycat
twingate has been great so far
We currently use Cisco VPN - just to confirm that GSA could replace that and we would still have same or similar access levels to on premise resources such as file shares, etc.? I guess we will find out really soon as my network engineer wants to setup GSA as a proof of concept.
At the moment I have not personally played a lot with this product. And as you can see it’s currently in public preview so pricing and availability have not yet been confirmed. I apologise that I can’t give you a more definite answer.
We have had GSA in production use already since may-june '23 and to answer your question; yes, GSA will entirely replace the need for a client vpn.
Great video! Will Entra Private Access replace the traditional Azure Application Proxy going forward?
As I believe the web app, proxy service will remain as a standalone feature, but has been for Intune
Does Group Policy work over this? VPN gives you GP but Sophos ZTNA we are using doesnt give us Group Policy so its not a direct replacement of VPN :(
Intune provides an equivalent service
Will this allow access to azure file share without azurevpn and be able to mount it like a local drive?
Yes it will
Does this is more like Easy access to the NSA? I suggest targeting more efficiently.
Don’t be silly
And the second he mentioned Entra I thought "Nah, VPN is not going anywhere" ... I get it, it is probably a great solution, but boldly claim VPN is done for is just wrong. Not everyone uses Entra, especially private home users.
And what happens the day Microsoft has a hickup? Cannot access my own on-prem environment. I rather not put all my eggs in the same basket.
Can I use it as a replacement for my current firewall?
It’s not a firewall. But has firewall elements
Is this the new "Direct Access"? Interesting.
Any idea on price?
Not yet I'm afraid.
Price: Money AND your Privat Datas free to MS including all your picture datas they will say its in the name of fighting crime/criminals but i tell you its not they are not the police.
This. Need to have pricing when demonstrating products. Can’t assess value of technology unless the costs are known. Demonstrating without pricing might generate awareness but really is a waste of time when we try our best to be informed buyers. We have similar SSE solutions from Palo Alto. We have E5 and MDE and MDfCA. I’m renewing my Palo Alto solutions.
This is amazing but I have heard this is going to be very expensive. It will not be included as part of the E5 license.
No details as of yet I’m expecting not I suspect it may be an extra cost, let’s wait and see though.
Love private access. fingers crossed the licensing is announced soon. Any options for machine that are only azure ad registered?
I’m sure these will be added in to conditional access policies
Hey Andy, you are Superb.
Is there an access client for Linux available too?
Yes coming shortly👍
Hmm. That SMB share access does require Kerberos cloud trust to be set up first too, right? Or is that built into this service now?
Ping Jeremy on that one :-)
There is still a domain on premises with DCs for the domain joined servers like we showed with the fileshare and Hyper-V server. The user's device however doesn't need to be domain joined or hybrid joined for this to work. It's issued the tickets needed after the conditional access challenge by the Private Access cloud service with gateway connector in place.
@@DeployJeremy is this already working, because I'm testing from a EntraID Joined system to connect to SMB file share, but seems to be not receiving Kerberos ticket at this moment, access denied... Is it also working in combination with Windows Hello for Business? At this moment I receive a popup with Windows Hello PIN, after that access denied to fileshare... I see in logging it's trying to connect with the fileshare.... Or do I have to wait for future release?
@@martinzonderland1543 It is already possible, but needs to be documented for implementation as it moves toward general availability. Documentation is in the works now, but no ETA yet for publishing.
When are our Server Licenses going to be less expensive to renew SA on, now that they're removing any doubts in our minds that ANY R&D is happening in on premises software? RRAS is dead. But we still pay for it, along with all the other software they've pushed new versions of to the cloud (Azure Files replacing DFS-R, etc) - it's extremely annoying paying them boatloads for SA when they're not actually providing what they did when we bought Server originally.
No news on licensing yet I’m afraid.
@@AndyMaloneMVP probably because there won't be. Why would they drop pricing that enterprises currently pay without a second thought in their Enterprise Agreement renewals, PLUS continue to add more opex 🤣
It's just really unfortunate that what we once got for licensing is now less. Imho, things like paying for System Center should get you Azure credits as well, especially if it's like getting access to this sort of technology. It's an extension of the product set.
2 ways to access conditional access - one from devices and another one from Endpoint security
and each one has different functions
Actually, they’re the same tools
How does check address work if you are on the road a lot? Looks like way too much effort. It’s clear Microsoft just wants everyone on their cloud platform. I would do anything to avoid this if given a choice.
Remember this is a corporate solution which can be managed by your IT. This is not a personal feature.
@@AndyMaloneMVP I appreciate this, but having everything in the cloud although makes life easier, it also locks you in pretty badly, and often charges go up, I personally would limit cloud services where possible. I was thinking more about sales reps, consultants etc who travel a bit.
Is this available for Linux machines?
It will be yes
How to use it
I just want to know if this means I can watch the NFL when I‘m in Europe! 😃
No it’s not intended for that
All at an extra per user subscription cost. Cost that keep increasing and where MS keep moving the goalposts. Naaaaaaaaahhhhh I’ll pass thanks
More money to charge !!!
Can't see myself trusting cloud-based security.
It’s way better than on prem
Does it support the management tunnel when the user is not logged in to the window ? That was the limitation on direct access where we cant remote manage laptops when the users are away
At present I'm not up to date with the exact technical details. Please checkout the links in the video as well as learn.microsoft.com
I use VPN for hiding IP in foreign countries as I travel most of the year. VPN under pressure with TV corps blocking software to prevent viewing, unstable. Frustrating. How could this replace my nerd for VPN, simple basic nerd I am done with VPN imstability
You mean that you use some commercial VPN service that is well-known and blocked by streaming services? You can run your own VPN service at home so that you have access to all your local things on your network and then nobody in the world can tell that you're not home. They won't be able to block you, because from a technical point of view, you are home.
how does anything with Microsoft in its name get remotely associated with Security lol
Don’t think of yourself personally, watch the video fully and you’ll understand
@@AndyMaloneMVP I did, no thanks
Will this work in China?????
No idea sorry
Trouble, Microsoft do cave into China’s demands. The company’s Web browser is a case in point. So I doubt myself whether this would be at all useful.
And you think this is simpler than a VPN?
Wait till you see Internet access feature coming soon
Trust Microsoft?! Your having a laugh aren’t you?
🤪
Hmm. An app on-prem protected by a conditional access policy… a web app in this case no less. Sounds an awful lot like application proxy… what’s the upside to using that here?
App Proxy is now integrated in to CA
@@AndyMaloneMVP You still need the agent on-premise i guess?
Microsoft and security does not go together!
VPN not going anywhere people like different things
Is this the new Azure App Proxy? What licenses are required for this?
No details yet
Microsoft is not even able to make encryption where you cant read out the key of the SSD/HDD. So why should i trust MS?😂
You trust their 2 factor authentication dont you?
@@b3at2 do they have one 😂🤣
So youve seen the scriptkiddy youtube video? Old news, it has already been fixed years ago, lazy admins just havent enabled the boot up PIN-codes..
@@laxativee scriptkiddy?never heard about that one
don't think so !