Introduction
In this article, I’ll walk you through the steps to enable the “Microsoft Traffic Profile,” a feature from Microsoft’s Security Service Edge solution. This feature forwards traffic from devices to Microsoft’s Security Service Edge proxy for Microsoft services. Let’s get started and explore this powerful feature!
What is Microsoft Traffic profile?
The Microsoft Traffic Profile is part of Global Secure Access. It handles traffic to Microsoft services like Exchange Online, SharePoint Online, and OverDrive. It ensures that this traffic is securely routed through the Microsoft Entra Internet Access service. This is how it manages secure traffic efficiently.
Features and Benefits
- It captures traffic from trusted networks, users, and devices without using Internet routing. It simplifies firewall configuration by eliminating the need to open ports or allow specific IP addresses, enhancing security with minimal effort.
- You can manage access to Microsoft services like Exchange Online and SharePoint Online through specific policies. It enhances efficiency in controlling access to key services, ensuring secure management with Microsoft Entra ID for identity and Microsoft Graph for data insights.
- The Microsoft Global Secure Access service automatically connects Conditional Access Policies. It improves efficiency through automated secure routing and policy applications.
- You can apply this policy to all users or specific groups.
- You can enforce this policy on all your organization’s remote networks. It simplifies secure traffic management across remote locations.
- Here are some benefits of using the Microsoft Traffic Profile:
- It helps secure Microsoft services traffic by preventing unauthorized access and minimizing the risk of cyber threats.
- Reduces the need for complicated firewall settings, like opening ports or allowing IPs.
- By routing traffic through trusted networks, it ensures faster access to services like Exchange Online, SharePoint Online, and OverDrive.
- It helps meet regulatory requirements by controlling traffic to and from Microsoft services more effectively.
- It simplifies the process of setting up secure access to Microsoft services, requiring fewer manual configurations.
Prerequisites
Take a look at this table that outlines the requirements needed to activate the Microsoft Traffic profile.
| Prerequisite | Description |
|---|---|
| Global Secure Access Administrator Role | You must have the Global Secure Access Administrator role in Microsoft Entra ID. |
| Conditional Access Administrator Role | You need the Conditional Access Administrator role to create and interact with policies. |
| Licensing | Required licenses include Microsoft Entra ID P1 or P2. |
Limitation
Check out this table that highlights the key limitations of the Microsoft Traffic Profile.
| Limitation | Description |
|---|---|
| Ongoing Service Addition | Individual services are added to the Microsoft Traffic Profile on an ongoing basis. |
| Supported Services | Currently supports Microsoft Entra ID, Microsoft Graph, Exchange Online, and SharePoint Online |
| Windows Client Limitations | Additional limitations specific to Windows clients may apply |
Implementation Steps
To turn on the Microsoft Traffic Profile, follow the below steps:
Step 1 : Enable Microsoft Traffic Profile
- First, sign in to the Microsoft Entra Admin portal with Global Admin or Global Secure Access Admin.
- Navigate to Global Secure Access-> Connect-> Traffic forwarding->Click Enable–> Ok to continue.
- Wait a few seconds for the system to respond, and then check for the notification confirming the profile is enabled.
- Verify the Microsoft traffic profile policies and rules. I just created a brief video to showcase the policy details of all Microsoft 365 services.
Step 2 : Assign Users to Microsoft Traffic Profile
Next, set the profile to specific users or groups instead of applying it all. In this demo, I assign to a group.
Step 3 : Install the Global Secure Access Client
- Download the client software from the Admin portal.
- Install the application on a client machine that runs Windows 10 or 11. Please ensure that your device is connected to Microsoft Entra.
Step 4 : Verify the installation
- After you install the software, hover over the connection icon to see a notification that you are connected to SSE.
- Sign in to the Office 365 portal to check your emails and other services to generate traffic for Microsoft 365 services.
- Additionally, you can check the available options on the client side, including “Client menu action,” GSA services, etc., as shown in the video below.
Step 5 : Monitoring
After installing the client software, return to the Global Secure Access dashboard to explore network traffic insights for Microsoft 365 services. Key sections include:
Displays logs exclusively related to Microsoft 365 traffic for streamlined visibility.
Provides a snapshot of device statuses from the past 24 hours
Summarizes the number of notifications received over the last 24 hours.
Analyzes trends based on unique transactions, users, devices, and data volumes.
Tracks and documents Global Secure Access configuration changes, such as traffic forwarding profiles and remote network management.
Offers detailed summaries of network connections, including who accessed what, the source and destination IPs, traffic type, and forwarding profile relevance.
Check out the video clip below to visualize Microsoft 365 traffic on the dashboard.
Use Cases
Here are some use cases where an organization can significantly benefit from configuring “Microsoft Traffic Only” through solutions like Microsoft Global Secure Access:
| Use Case | Description | Benefit |
|---|---|---|
| Optimized Microsoft 365 Performance | Organizations relying heavily on Microsoft 365 services like Teams, Exchange, and SharePoint. | Reduces latency and improves performance for collaboration tools. |
| Enhanced Security for Microsoft Workloads | Prioritizing secure access to Microsoft 365 services. | Routes traffic through Microsoft’s Security Service Edge with advanced security features. |
| Simplified Traffic Management | Organizations with limited IT resources for managing complex routing. | Focuses traffic filtering on Microsoft endpoints, reducing complexity. |
| Compliance with Regulatory Requirements | Industries like healthcare or finance with strict data transmission standards. | Ensures secure routing of Microsoft traffic to meet compliance requirements. |
| Bandwidth Optimization | Organizations with constrained internet bandwidth. | Saves bandwidth by focusing inspection only on Microsoft workloads. |
| Cost Savings on Licensing | Using Microsoft Entra ID P2 without premium licenses. | Avoids additional licensing costs while securing Microsoft traffic. |
| Simplified Troubleshooting and Auditing | IT teams managing performance and security for Microsoft environments. | Limits traffic logs to Microsoft services, simplifying issue identification and resolution. |
Wrap up
In this demonstration, we:
- successfully enabled a profile to redirect traffic for Microsoft 365 services through the Security Service Edge.
- assigned the profile to specific groups, leveraging only a Microsoft Entra ID P2 license and avoiding the need for additional licenses like Microsoft Entra Internet Access, Private Access, or Entra Suite.
- installed the Global Secure Access client on a Windows 11 device joined to Microsoft Entra, ensuring a seamless connection to the Microsoft Security Service Edge Firewall.
- sign in to the Office 365 portal to generate traffic for Microsoft 365 services.
- verified functionality by reviewing network traffic logs for Microsoft 365 services and monitoring Audit and Traffic logs for accuracy.
Stay tuned for my next article, where I’ll delve deeper into this feature and share more insights from my experiences.
Thank you so much for taking the time to read! Wishing you an absolutely wonderful day ahead filled with joy and inspiration!
