top of page
Search

Entra SSE Part 2: Building the Zero Trust Defense That Stopped the Breach

ree

The attacker pivots to exfiltrate data via unmanaged SaaS apps. Can GSA stop them? Spoiler: Yes—and we'll show you how.


Scene 3: The Pivot


The attacker tries to upload sensitive files to a personal Dropbox account.

Legacy VPN? Wouldn't stop it. Entra GSA? Already enforcing app-based segmentation and real-time inspection.

Alex watches as the Conditional Access engine evaluates:

  • Device compliance

  • User risk score

  • App sensitivity


Result? Block.


Step 1: Conditional Access Everywhere


Block Unmanaged Devices from Cloud Storage


# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"

# Get or create Finance user group
$financeGroup = Get-MgGroup -Filter "displayName eq 'Finance-Users'" -Top 1

# Create Conditional Access Policy
$params = @{
    DisplayName = "Block Unmanaged Devices - Cloud Storage"
    State = "enabledForReportingButNotEnforced"  # Use "enabled" for production
    Conditions = @{
        Applications = @{
            IncludeApplications = @("All")  # Or specific app IDs for Dropbox, Box, etc.
        }
        Users = @{
            IncludeGroups = @($financeGroup.Id)
        }
        ClientAppTypes = @("browser", "mobileAppsAndDesktopClients")
    }
    GrantControls = @{
        Operator = "OR"
        BuiltInControls = @("compliantDevice", "domainJoinedDevice")
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params

What this does:

  • Blocks access to cloud apps from unmanaged devices

  • Allows only compliant or domain-joined devices

  • Applies to Finance users group

  • Starts in Report-Only mode for testing


Step 2: Private Access Without VPN


Publish Internal Apps via Entra Private Access

# Connect with Network Access permissions
Connect-MgGraph -Scopes "NetworkAccess.ReadWrite.All"

# Get Private Access forwarding profile
$privateProfile = Get-MgBetaNetworkAccessForwardingProfile -All | 
    Where-Object { $_.Name -like "*Private*" } | 
    Select-Object -First 1

# Configure application segment for internal finance app
$appParams = @{
    Name = "Finance Portal"
    Description = "Internal finance application"
    Fqdn = "finance.internal.company.com"
    Ports = @(
        @{
            Port = 443
            Protocol = "TCP"
        }
    )
}

# Note: API structure may vary - check latest Microsoft Graph documentation
# New-MgBetaNetworkAccessForwardingProfilePolicy -ForwardingProfileId $privateProfile.Id -BodyParameter $appParams

Benefits:

  • No VPN required - users access internal apps securely from anywhere

  • Per-app access control with Conditional Access integration

  • Requires compliant device + MFA

  • Eliminates VPN attack surface



Step 3: Continuous Monitoring


Query Blocked Sign-ins with PowerShell

# Connect with audit permissions
Connect-MgGraph -Scopes "AuditLog.Read.All"

# Helper function for datetime formatting
function Get-GraphDateTimeFormat {
    param([DateTime]$DateTime)
    return $DateTime.ToUniversalTime().ToString(
        "yyyy-MM-ddTHH:mm:ss.fffZ", 
        [System.Globalization.CultureInfo]::InvariantCulture
    )
}

# Query sign-ins from last 7 days
$startDate = Get-GraphDateTimeFormat -DateTime (Get-Date).AddDays(-7)
$signIns = Get-MgAuditLogSignIn -Filter "createdDateTime ge $startDate" -All

# Filter for CA blocks
$blockedByCA = $signIns | Where-Object {
    $_.ConditionalAccessStatus -eq "failure"
}

# Summarize blocked attempts
$blockedByCA | Group-Object AppDisplayName | 
    Select-Object Count, @{N='Application';E={$_.Name}} |
    Sort-Object Count -Descending |
    Format-Table -AutoSize

Query with KQL in Sentinel

// Detect risky sign-ins blocked by GSA Conditional Access
SigninLogs
| where TimeGenerated > ago(7d)
| where ConditionalAccessStatus == "failure"
| summarize BlockedAttempts = count() by AppDisplayName, tostring(LocationDetails.city)
| sort by BlockedAttempts desc
| take 10

Step 4: Advanced Policies


Policy 1: Enforce Phishing-Resistant MFA

# Get phishing-resistant authentication strength
$authStrengths = Get-MgPolicyAuthenticationStrengthPolicy -All
$phishingResistant = $authStrengths | 
    Where-Object { $_.DisplayName -like "*Phishing*resistant*" } | 
    Select-Object -First 1

# Create policy for high-risk sign-ins
$params = @{
    DisplayName = "Require FIDO2 for High-Risk Apps"
    State = "enabledForReportingButNotEnforced"
    Conditions = @{
        Applications = @{
            IncludeApplications = @("All")
        }
        Users = @{
            IncludeGroups = @($financeGroup.Id)
        }
        SignInRiskLevels = @("high", "medium")
        ClientAppTypes = @("browser", "mobileAppsAndDesktopClients")
    }
    GrantControls = @{
        Operator = "OR"
        AuthenticationStrength = @{
            Id = $phishingResistant.Id
        }
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params

What this does:

  • Requires FIDO2/passkey for high-risk sign-ins

  • Protects against phishing attacks

  • Applies only when risk is detected

  • No friction for normal users


Policy 2: Monitor and Control SaaS Traffic

# Requires Defender for Cloud Apps licensing
$params = @{
    DisplayName = "Monitor SaaS Access - Finance"
    State = "enabledForReportingButNotEnforced"
    Conditions = @{
        Applications = @{
            IncludeApplications = @("All")  # Or specific cloud storage apps
        }
        Users = @{
            IncludeGroups = @($financeGroup.Id)
        }
        ClientAppTypes = @("browser", "mobileAppsAndDesktopClients")
    }
    GrantControls = @{
        Operator = "OR"
        BuiltInControls = @("mfa")
    }
    SessionControls = @{
        CloudAppSecurity = @{
            CloudAppSecurityType = "monitorOnly"  # or "blockDownloads"
            IsEnabled = $true
        }
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params

What this does:

  • Routes sessions through Defender for Cloud Apps

  • Monitors file uploads/downloads in real-time

  • Can block sensitive data exfiltration

  • Logs all activity for investigation


Configure Session Policies in Defender for Cloud Apps


After creating the Conditional Access policy above, configure session policies in Defender for Cloud Apps portal:

Session Policy Configuration:

  1. Navigate to: Cloud App Security portal → Policies → Session policies

  2. Create new session policy:

    • Policy name: Block Sensitive File Uploads to Personal Cloud

    • Session control type: Control file upload (with inspection)

    • Activity source: Apply to Finance-Users group

    • Files matching: Sensitivity label = "Confidential"

    • Actions: Block with custom message

Custom Block Message:

This file contains sensitive company data and cannot be uploaded to personal cloud storage.

Please use OneDrive for Business: https://yourtenant.sharepoint.com

Contact IT support if you need assistance.

Alternative: Block with GSA Internet Access


For a more aggressive approach, use Entra GSA Internet Access to block personal cloud storage at the network level:


# Enable Internet Access profile
$internetProfile = Get-MgBetaNetworkAccessForwardingProfile -All | 
    Where-Object { $_.TrafficForwardingType -eq "m365" } |
    Select-Object -First 1

# Create FQDN blocking policy
$policyParams = @{
    Name = "Block Personal Cloud Storage"
    Description = "Block Dropbox, Google Drive, personal OneDrive"
    Action = "block"
    RuleType = "fqdn"
    Destinations = @(
        @{ Value = "*.dropbox.com" },
        @{ Value = "drive.google.com" },
        @{ Value = "*.box.com" },
        @{ Value = "onedrive.live.com" }
    )
}

New-MgBetaNetworkAccessForwardingProfilePolicy `
    -ForwardingProfileId $internetProfile.Id `
    -BodyParameter $policyParams

User Experience:

  • User tries to access Dropbox → GSA client blocks at network level

  • Custom block page displays with redirect to corporate OneDrive

  • All attempts logged to Sentinel


Scene 4: The Resolution


Within minutes:

Attacker's Dropbox upload blocked by session policy

Block notification displayed: "This action violates policy. Use OneDrive for Business instead."

SOC receives automated alert in Sentinel with full context:

  • User identity and risk score

  • File metadata and sensitivity

  • Device compliance status

  • Recommended actions


The attacker? Stopped cold.The network? Zero Trust enforced globally.


💡 Why This Matters


This isn't theory. This is production-ready Zero Trust with Entra GSA.


Real-World Impact:


  • No VPN complexity - Users work from anywhere securely

  • Unified policy engine - One Conditional Access for all apps

  • Real-time protection - Blocks happen instantly, not after investigation

  • Complete visibility - Every access decision logged and analyzed


Entra GSA vs Zscaler: Real-World Comparison

Factor
Entra GSA
Zscaler

Deployment Speed

Integrates with Entra ID instantly

Requires separate connector setup

Unified Policy

One Conditional Access engine for all apps

Multiple policy layers to manage

Identity Integration

Native Azure AD/Entra ID integration

Third-party identity integration

Cost Efficiency

Included with Microsoft E5 Security

Separate Zscaler subscription

Client Requirements

GSA client for Private/Internet Access

Zscaler client required

Session Controls

Integrated with Defender for Cloud Apps

Built-in DLP and inspection


When to choose Entra GSA:

  • Existing Microsoft E5 investment

  • Need tight Entra ID integration

  • Want unified policy management

  • Microsoft-first security stack

When to consider Zscaler:

  • Multi-cloud, multi-vendor environment

  • Mature ZPA/ZIA deployment

  • Need specific Zscaler features

  • Non-Microsoft primary stack


🚀 Fortytwo's Services


We help organizations deploy Entra GSA with confidence:

Zero Trust Strategy Design

  • Architecture planning and roadmap

  • Risk assessment and gap analysis

Entra GSA Deployment

  • Private Access configuration

  • Internet Access policies

  • Client rollout and testing

Policy Automation and Governance

  • Infrastructure-as-Code for CA policies

  • Automated compliance checking

  • Policy drift detection

Integration Services

  • Defender XDR correlation

  • Sentinel SIEM integration

  • Purview DLP orchestration


✅ Next Steps


Ready to get started?

  1. Book a Fortytwo Zero Trust Workshop - Schedule here

  2. Download our GSA Implementation Guide - Best practices and lessons learned

  3. Follow us for real-world success stories and Entra vs Zscaler deep dives

Pilot Program:

  • Week 1-2: Architecture review and planning

  • Week 3-4: Private Access pilot with internal apps

  • Week 5-6: Conditional Access policy deployment

  • Week 7-8: Full rollout with monitoring


🔮 Future Outlook


Zero Trust is evolving with AI:
🤖 AI-driven access decisions using behavioral analytics

  • Microsoft Security Copilot integration

  • Real-time risk scoring with ML

🔐 Agentic AI for identity governance

  • Automated access reviews

  • Smart policy recommendations

🛡️ Predictive threat blocking

  • Pre-emptive blocks based on attack patterns

  • Cross-signal correlation


Fortytwo is leading this transformation - helping enterprises stay ahead of attackers with Microsoft's latest security innovations.


Ready to Transform Your Security?


Partner with Fortytwo to deploy Microsoft Entra Global Secure Access and achieve true Zero Trust.

Contact us today:

Let's build your Zero Trust architecture together. 🚀


Technical Resources


    bottom of page