From 1e20e8709ec2f684ccdc8a72f4f27af93ff320eb Mon Sep 17 00:00:00 2001 From: Jorge Lopez <43187678+jorlopama@users.noreply.github.com> Date: Thu, 24 Oct 2024 21:17:38 -0400 Subject: [PATCH] fixed broken links --- README.md | 4 ++-- Scenarios/Scenario1.md | 14 +++++++------- Scenarios/Scenario2.md | 15 +++++++------- Scenarios/Scenario3.md | 44 +++++++++++++++++++++--------------------- website/docs/intro.md | 2 +- 5 files changed, 40 insertions(+), 39 deletions(-) diff --git a/README.md b/README.md index f67d907..1c37cc2 100644 --- a/README.md +++ b/README.md @@ -20,11 +20,11 @@ Explore our real-life scenarios that articulate the value of Microsoft Entra Sui ### POC Overview -- [Entra Suite POC Overview](./POCAssets/01-Entra_Suite_POC_Overview.pptx) +- [Entra Suite POC Overview](./Scenarios/entra-suite-poc-overview.md) ### Microsoft Entra Suite Scenarios -- [Enhanced workforce and guest user lifecycle](.//Scenarios/Scenario1.md) +- [Enhanced workforce and guest user lifecycle](./Scenarios/Scenario1.md) - [Secure and govern access to all apps and resources](./Scenarios/Scenario2.md) - [Govern Internet Access based on business needs](./Scenarios/Scenario3.md) diff --git a/Scenarios/Scenario1.md b/Scenarios/Scenario1.md index 0020992..42a93d4 100644 --- a/Scenarios/Scenario1.md +++ b/Scenarios/Scenario1.md @@ -1,6 +1,6 @@ -## Microsoft Entra Suite � Scenario 1 -## Enhanced workforce and guest lifecycle (Secure and governed access to all applications and resources) +# Enhanced workforce and guest lifecycle +> Secure and governed access to all applications and resources ## Introduction In this guide, we describe how to configure Microsoft Entra Suite products for a scenario in which the fictional organization, Contoso, wants to hire new remote employees and provide them with secure and seamless access to necessary apps and resources. @@ -10,9 +10,9 @@ Contoso uses Microsoft Entra Verified ID to issue and verify digital proofs of i They use Microsoft Entra ID Governance to create and grant access packages for employees and external users based on verifiable credentials. -� For employees, they base access packages on job function and department. Access packages include cloud and on-premises apps and resources to which employees need access. +� For employees, they base access packages on job function and department. Access packages include cloud and on-premises apps and resources to which employees need access. -� For external collaborators, they base access packages on based on invitation to define external user roles and permissions. The access packages include only apps and resources to which external users need access. +� For external collaborators, they base access packages on based on invitation to define external user roles and permissions. The access packages include only apps and resources to which external users need access. Employees and external users can request access packages through a self-service portal and provide their digital proofs as identity verification. With single sign-on and multifactor authentication, employees and external users use Microsoft Entra accounts to access apps and resources that their access packages include. Contoso verifies credentials and grants access packages without requiring manual approvals or provisioning. @@ -37,7 +37,7 @@ For this scenario, complete these prerequisite steps to configure Microsoft Entr ![imagen 1](../images/VID-01.png) -5. Sign in to the test user�s **My Account** with their Microsoft Entra credentials. Select **Get my Verified ID** to issue a verified workplace credential +5. Sign in to the test user�s **My Account** with their Microsoft Entra credentials. Select **Get my Verified ID** to issue a verified workplace credential ![imagen 2](../images/VID-02.png) @@ -47,7 +47,7 @@ Follow these prerequisite steps to add a trusted external organization (B2B) for 1. Sign in to the Microsoft Entra admin center with at least a Security Administrator role. 2. Go to **Identity > External Identities > Cross-tenant access settings**. Select **Organizational settings** 3. Select **Add organization**. -4. Enter the organization�s full domain name (or tenant ID). +4. Enter the organization�s full domain name (or tenant ID). 5. Select the organization in the search results. Select **Add**. 6. Confirm the new organization (that inherits its access settings from default settings) in **Organizational settings**. ![image 3] (../images/VID-03.png) @@ -148,7 +148,7 @@ After you configure an access package with a Verified ID requirement, end-users 5. After you share your credentials, continue with the approval workflow. 6. **Optional**: Simulate user risk by following these instructions: [Simulating risk detections in Microsoft Entra ID Protection](https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-simulate-risk). You may need to try multiple times to raise the user risk to medium or high. 7. Try accessing the application that you previously created for the scenario to confirm blocked access. You may need to wait up to one hour for block enforcement. -8. Validate that access is blocked by the Conditional Access (CA) policy that you created earlier using sign-in logs. Open non-interactive sign in logs from the ZTNA Network Access Client � Private application. View logs from the Private Access application name that you previously created as the **Resource name**. +8. Validate that access is blocked by the Conditional Access (CA) policy that you created earlier using sign-in logs. Open non-interactive sign in logs from the ZTNA Network Access Client � Private application. View logs from the Private Access application name that you previously created as the **Resource name**. diff --git a/Scenarios/Scenario2.md b/Scenarios/Scenario2.md index d8cdc06..12e9f83 100644 --- a/Scenarios/Scenario2.md +++ b/Scenarios/Scenario2.md @@ -1,8 +1,9 @@ -## Microsoft Entra Suite � Scenario 2 +# Modernize remote access -## Modernize remote access (Secure and governed access to all applications and resources) +> Secure and governed access to all applications and resources ## Introduction + In this guide, we describe how to configure Microsoft Entra Suite products for a scenario in which the fictional organization, Contoso, is upgrading their existing VPN solution. The new, scalable cloud-based solution helps them to move towards Secure Access Service Edge (SASE). To accomplish this objective, they deploy [Microsoft Entra Internet Access](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-internet-access), [Microsoft Entra Private Access](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-private-access), and [Microsoft Entra ID Protection](https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection). Microsoft Entra Private Access provides users (whether in an office or working remotely) secure access to private corporate resources. Microsoft Entra Private Access builds on the Microsoft Entra application proxy to extend access to any private resource, independent of TCP/IP port and protocol. @@ -34,7 +35,7 @@ These are the benefits of using these three solutions together: ## Requirements -This section defines the requirements for this scenario�s solution. +This section defines the requirements for this scenario�s solution. ## Permissions Administrators who interact with Global Secure Access preview features require the Global Secure Access Administrator and Application Administrator roles. @@ -72,7 +73,7 @@ In this section, we activate Global Secure Access through the Microsoft Entra ad 2. Go to **Global Secure Access> Get started > Activate Global Secure Access in your tenant**. Select **Activate** to enable SSE features. ![imagen 2](../images/RemoteA-02.png) -3. Go to **Global Secure Access> Connect > Traffic forwarding**. Toggle on Private access profile. Traffic forwarding enables you to configure the type of network traffic to tunnel through Microsoft�s Security Service Edge Solution services. Set up [traffic forwarding profiles](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-traffic-forwarding) to manage traffic types. +3. Go to **Global Secure Access> Connect > Traffic forwarding**. Toggle on Private access profile. Traffic forwarding enables you to configure the type of network traffic to tunnel through Microsoft�s Security Service Edge Solution services. Set up [traffic forwarding profiles](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-traffic-forwarding) to manage traffic types. * The Microsoft 365 access profile is for Microsoft Entra Internet Access for Microsoft 365. * The Private access profile is for Microsoft Entra Private Access. * The Internet access profile is for Microsoft Entra Internet Access. Microsoft's Security Service Edge solution only captures traffic on client devices with Global Secure Access Client installation. @@ -124,7 +125,7 @@ Microsoft Entra Private Access supports transmission control protocol (TCP) appl 6. Select **Users and groups**. Add the security group that you created earlier with test users that access this file share from the internet. ## Secure published application -In this section, we create a Conditional Access (CA) policy that blocks access to the new application when a user�s risk is elevated. +In this section, we create a Conditional Access (CA) policy that blocks access to the new application when a user�s risk is elevated. 1. Sign in to the Microsoft Entra admin center. Go to **Identity Protection > Conditional Access > + Create new policy**. 2. Enter a name and select users. Select users and groups. Select the security group that you created earlier. @@ -135,14 +136,14 @@ In this section, we create a Conditional Access (CA) policy that blocks access t 7. Review your settings. Select **Create**. ## Validate access -In this section, we validate that the user can access the file server while there�s no risk. Confirm that access is blocked when risk is detected. +In this section, we validate that the user can access the file server while there�s no risk. Confirm that access is blocked when risk is detected. 1. Sign in to the device where you previously installed the Global Secure Access client. 2. Try to access the file server by running **\\IP_address** and validate that you can browse the file share. ![imagen 8](../images/RemoteA-08.png) 3. If desired, simulate user risk by following instructions in [Simulating risk detections in Microsoft Entra ID Protection](https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-simulate-risk). You may need to try multiple times to raise user risk to medium or high. 4. Try accessing the file server to confirm that access is blocked. You may need to wait up to one hour for block enforcement. -5. Validate that access is blocked by the Conditional Access policy you created earlier using sign in logs. Open non-interactive sign in logs from *ZTNA Network Access Client � Private application*. View logs from the Private Access application name that you previously created as the **Resource name**. +5. Validate that access is blocked by the Conditional Access policy you created earlier using sign in logs. Open non-interactive sign in logs from *ZTNA Network Access Client � Private application*. View logs from the Private Access application name that you previously created as the **Resource name**. ## Resources * [What is Microsoft Entra ID Protection?](https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection) diff --git a/Scenarios/Scenario3.md b/Scenarios/Scenario3.md index bc99019..bf48673 100644 --- a/Scenarios/Scenario3.md +++ b/Scenarios/Scenario3.md @@ -1,6 +1,6 @@ -## Microsoft Entra Suite � Scenario 3 +# Govern internet access based on business needs -## Govern internet access based on business needs (Secure and governed access to all applications and resources) +> Secure and governed access to all applications and resources ## Introduction In this guide, we describe how to configure Microsoft Entra Suite products for a scenario in which the fictional organization, Contoso has strict default internet access policies and wants to control internet access according to business requirements. @@ -11,7 +11,7 @@ In another example scenario and corresponding solution, a SOC analyst needs to a You can replicate these high-level steps for the Contoso solution as described in this guide. 1. Sign up for Microsoft Entra Suite. Enable and configure Microsoft Entra Internet Access for desired network and security settings. -2. Deploy [Microsoft Global Secure Access clients](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-clients) on users� devices. Enable Microsoft Entra Internet Access. +2. Deploy [Microsoft Global Secure Access clients](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-clients) on users� devices. Enable Microsoft Entra Internet Access. 3. Create a security profile and web content filtering policies with a restrictive baseline policy that blocks specific web categories and web destinations for all users. 4. Create a security profile and web content filtering policies that allows access to social networking sites. 5. Create a security profile that enables the Hacking web category. @@ -58,7 +58,7 @@ In this section, we activate Global Secure Access through the Microsoft Entra ad 1. Sign in to the Microsoft Entra admin center with at least a Global Administrator role. 2. Go to **Global Secure Access > Get started > Activate Global Secure Access in your tenant**. Select **Activate** to enable SSE features. ![imagen 1](../images/IA-01.png) -3. Go to **Global Secure Access > Connect > Traffic forwarding**. Toggle on Private access profile. Traffic forwarding enables you to configure the type of network traffic to tunnel through Microsoft�s Security Service Edge Solution services. Set up [traffic forwarding profiles](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-traffic-forwarding) to manage traffic types. +3. Go to **Global Secure Access > Connect > Traffic forwarding**. Toggle on Private access profile. Traffic forwarding enables you to configure the type of network traffic to tunnel through Microsoft�s Security Service Edge Solution services. Set up [traffic forwarding profiles](https://learn.microsoft.com/en-us/entra/global-secure-access/concept-traffic-forwarding) to manage traffic types. * The **Microsoft access profile** is for Microsoft 365 access. * The **Private access profile** is for Microsoft Entra Private Access. * The **Internet access profile** is for Microsoft Entra Internet Access. Microsoft's Security Service Edge solution only captures traffic on client devices with Global Secure Access Client installation. @@ -78,9 +78,9 @@ Microsoft Entra Internet Access for Microsoft 365 and Microsoft Entra Private Ac ## Create security groups In this guide, we use two security groups to assign security profiles using Conditional Access (CA) policies. In the Microsoft Entra Portal, create security groups with these names: -1. Internet Access � Allow Social Networking sites -2. Internet Access � Allow Hacking sites -Don�t add any members to these groups. Later in this guide, we configure Identity Governance to add members on request. +1. Internet Access � Allow Social Networking sites +2. Internet Access � Allow Hacking sites +Don�t add any members to these groups. Later in this guide, we configure Identity Governance to add members on request. ## Block access with baseline profile In this section, we block access to inappropriate sites for all users in the organization with a baseline profile. @@ -197,11 +197,11 @@ In this section, we create a Conditional Access (CA) policy that enforces the ** 1. Sign in to the Microsoft Entra admin center. Go to **Protection > Conditional Access**. Select **Create new policy**. 2. In **New Conditional Access Policy**, complete these fields: - * **Name:** Internet Access � Allow Social Networking sites + * **Name:** Internet Access � Allow Social Networking sites * **Users or workload identities:** Specific users included * **What does this policy apply to?** Users and groups * **Include > Select users and groups >** Select **Users and groups** -3. Select your test group (such as *Internet Access � Allow Social Networking sites*). Select **Select**. +3. Select your test group (such as *Internet Access � Allow Social Networking sites*). Select **Select**. 4. Target resources * **Select what this policy applies to > Global Secure Access** * **Select the traffic profiles this policy applies to > Internet traffic** @@ -271,11 +271,11 @@ In this section, we create a Conditional Access (CA) policy that enforces the ** 1. Sign in to the Microsoft Entra admin center. Go to **Protection > Conditional Access**. Select **Create new policy**. 2. In the **New Conditional Access Policy** dialog box, complete these fields: - * **Name: Internet Access � Allow Hacking sites** + * **Name: Internet Access � Allow Hacking sites** * **Users or workload identities: Specific users included** * **What does this policy apply to? Users and groups** 3. **Include > Select users and groups** > Select **Users and groups** -4. Select your test group (such as *Internet Access � Allow Hacking sites*) > select **Select**. +4. Select your test group (such as *Internet Access � Allow Hacking sites*) > select **Select**. 5. **Target resources** * Select what this policy applies to > **Global Secure Access** * Select the traffic profiles this policy applies to > **Internet traffic** @@ -298,7 +298,7 @@ Follow these steps to create an Entitlement management catalog: ![imagen 21](../images/IA-21.png) 6. To add the resources, go to **Catalogs** and open the catalog to which you want to add resources. Select **Resources**. Select **Add resources**. -7. Add the two security groups that you previously created earlier (such as *Internet Access � Allow Social Networking sites and Internet Access � Allow Hacking sites*). +7. Add the two security groups that you previously created earlier (such as *Internet Access � Allow Social Networking sites and Internet Access � Allow Hacking sites*). ![imagen 22](../images/IA-22.png) @@ -308,8 +308,8 @@ In this section, we create access packages that allow users to request access to 1. Sign in to the Microsoft Entra admin center with at least an Identity Governance Administrator role. 2. Go to **Identity governance > Entitlement management > Access package**. 3. Select **New access package**. -4. For **Basics**, give the access package a name (such as *Internet Access � Allow Social Networking sites*). Specify the catalog that you previously created. -5. For **Resource roles**, select the security that you previously added (such as Internet Access � Allow Social Networking sites). +4. For **Basics**, give the access package a name (such as *Internet Access � Allow Social Networking sites*). Specify the catalog that you previously created. +5. For **Resource roles**, select the security that you previously added (such as Internet Access � Allow Social Networking sites). 6. In **Role**, select **Member**. 7. For **Requests**, select **For users in your directory**. 8. To scope the users that can request access to social networking sites, select **Specific users and groups** and add an appropriate group of users. Otherwise, select **All members**. @@ -320,13 +320,13 @@ In this section, we create access packages that allow users to request access to ![imagen 23](../images/IA-23.png) 12. Repeat the steps to create a new access package that allows access to hacking sites. Configure these settings: - * **Resource:** Internet Access � Allow Hacking sites + * **Resource:** Internet Access � Allow Hacking sites * **Who can request:** SOC team members * **Lifecycle:** Set Number of hours to 8 hours ## Test user access -In this section, we validate that the user can�t access sites that the baseline profile blocks. +In this section, we validate that the user can�t access sites that the baseline profile blocks. 1. Sign in to the device where you have installed the Global Secure Access client. 2. In a browser, go to sites that the baseline profile blocks and verify blocked access. For example: @@ -337,18 +337,18 @@ In this section, we validate that the user can ## Request social networking access In this section, we validate that a Marketing department user can request access to social networking sites. -1. Sign in to the device where you have installed the Global Secure Access client with a user that is a member of the Marketing team (or a user that has authorization to request access to the example Internet Access � Allow Social Networking sites access package). +1. Sign in to the device where you have installed the Global Secure Access client with a user that is a member of the Marketing team (or a user that has authorization to request access to the example Internet Access � Allow Social Networking sites access package). 2. In a browser, validate blocked access to a site in the Social Networking category that the baseline security profile blocks. For example, try accessing youtube.com. ![imagen 25](../images/IA-25.png) -3. Browse to https://myaccess.microsoft.com. Select **Access packages**. Select **Request** for the *Internet Access � Allow Social Networking sites* access package. +3. Browse to https://myaccess.microsoft.com. Select **Access packages**. Select **Request** for the *Internet Access � Allow Social Networking sites* access package. ![imagen 26](../images/IA-26.png) 4. Select **Continue**. Select **Request**. 5. If you configured approval for the access package, sign in as an approver. Browse to https://myaccess.microsoft.com. Approve the request. -6. Sign in as a Marketing department user. Browse to https://myaccess.microsoft.com. Select **Request history**. Validate your request status to Internet Access � Allow Social Networking sites is Delivered. +6. Sign in as a Marketing department user. Browse to https://myaccess.microsoft.com. Select **Request history**. Validate your request status to Internet Access � Allow Social Networking sites is Delivered. 7. New settings may take a few minutes to apply. To speed up the process, right-click the Global Secure Access icon in the system tray. Select **Log in as a different user**. Sign in again. 8. Try accessing sites in the social networking category that the baseline security profile blocks. Validate that you can successfully browse them. For example, try browsing youtube.com. @@ -358,15 +358,15 @@ In this section, we validate that a Marketing department user can request access ## Request hacking site access In this section, we validate that a SOC team user can request access to hacking sites. -1. Sign in to the device where you have installed the Global Secure Access client with a user that is a member of the SOC team (or a user that has authorization to request access to the example Internet Access � Allow Hacking sites access package). +1. Sign in to the device where you have installed the Global Secure Access client with a user that is a member of the SOC team (or a user that has authorization to request access to the example Internet Access � Allow Hacking sites access package). 2. In a browser, validate blocked access to a site in the hacking category that the baseline security profile blocks. For example, hackthissite.org. ![imagen 28](../images/IA-28.png) -3. Browse to https://myaccess.microsoft.com. Select **Access packages**. Select **Request** for the *Internet Access � Allow Hacking sites* access package. +3. Browse to https://myaccess.microsoft.com. Select **Access packages**. Select **Request** for the *Internet Access � Allow Hacking sites* access package. 4. Select **Continue**. Select **Request**. 5. If you configured approval for the access package, sign in as an approver. Browse to https://myaccess.microsoft.com. Approve the request. -6. Sign in as a SOC team user. Browse to https://myaccess.microsoft.com. Select **Request history**. Validate your request status to Internet Access � Allow Hacking sites is **Delivered**. +6. Sign in as a SOC team user. Browse to https://myaccess.microsoft.com. Select **Request history**. Validate your request status to Internet Access � Allow Hacking sites is **Delivered**. 7. New settings may take a few minutes to apply. To speed up the process, right-click the Global Secure Access icon in the system tray. Select **Log in as a different user**. Sign in again. 8. Try accessing sites in the hacking category that the baseline security profile blocks. Validate that you can successfully browse them. For example, try browsing hackthissite.org. diff --git a/website/docs/intro.md b/website/docs/intro.md index d9d052d..950851e 100644 --- a/website/docs/intro.md +++ b/website/docs/intro.md @@ -26,7 +26,7 @@ The Entra Suite includes five deeply integrated products: Explore our real-life scenarios that articulate the value of Microsoft Entra Suite and how its capabilities work together. -- [POC Overview](./Scenarios/Readme.md) +- [POC in a Box](./Scenarios/Readme.md) ## 🏆 Entra Suite Products Training Hubs