- Welcome to episode 375 of the Microsoft Cloud IT Pro Podcast recorded live on April 19th, 2024. This is a show about Microsoft 365 and Azure from the perspective of it pros and end users where we discuss the topic or recent news and how it relates to you. This week we'll be discussing global secure access as part of the Microsoft Security Service Edge and how Global Secure Access brings identity network and endpoint access.
Together. Under one service, we'll discuss some of the services that includes, that may seem familiar to you as it relates to Defender for cloud apps and App Proxy. We'll also talk about some of the key features around internet access and private access, as well as the global secure access clients for Windows and Android and the upcoming ones to the Mac OS and iOS. We'll also talk about the benefits provided by these services, taking advantage of the Microsoft Global wan.
Join us as we take a deep dive into the world of digital security and learn how global secure access can help you secure your digital world. Here we go. Scott, what is Global Secure access in preview? That's our topic for today. Global Secure Access. . This was, have you played with global security access? Oh, Todd's been putting out fires all day. He said, why not come put out more fires at my house. . Alright, good to know. Todd . Okay, what is Global Secure Access Squirrel.
Scott Squirrel. Yeah, global - Secure Access. Yeah. So let's see. This is all about securing your digital world, right? That's what I thought. So - It's secure access globally is what Global secure access is. . Yeah. So this is a new feature. This one was announced actually, was it Ignite? When did they change the name of Azure? Adida - Entra. That was back around the Ignite. I - Think that was Ignite.
- And this was also the introduction of not just global Secure Access, this was also the introduction of the introduction, a little bit of the rebrand and and pushing out of the concept of Security Service Edge or SSE. - Yeah. And that was all announced in kinda since then.
This is, I would say it's been a slow role of various services within, whether you call it various services within the Secure edge or even just global secure access in general has kind of been a slow rollout and there's a, I would say a halfway decent image in this overview of what it is. But essentially at a high level global secure access goes and takes all of your endpoints, identities, endpoints, even remote networks.
So think of identifying traffic based on the network it's on, routes it all through this security service edge through global secure access so that all of your traffic is routing through this global secure access, which is a service sitting out in the Microsoft cloud before it goes to any number of things.
It could be before it goes out to Microsoft 365 could be before it goes out to the internet, before it goes on premises to your on premises applications or even going out to another cloud service, whether it's AWS Google Cloud going out to Azure. But it's a way to essentially securely route all of that traffic wherever it goes and route it through this service between your end points or devices and wherever they're trying to go. - That's a good encapsulation.
I think one thing that's missing in this picture is some of the buckets should be a little bit bigger and maybe have sub components within them. For example, take Microsoft 365 and some of the things that are part of Microsoft 365 ish slash intra idea ish at this point. Like conditional access. So how do you extend, you mentioned like on premises clients, so how do you extend conditional access to on-premises clients?
You need to bring those, those clients both the on-prem client and maybe the on-prem application within the purview and the overarching boundary of entra and things like Microsoft 365 and that whole stack to put it together. 'cause ultimately what we're doing with this service suite of services again, right? If we think about Security Service Edge or SSE, it's really comprised of we're back to bundles and suites of things.
It's combining this set of capabilities for both internet and intranet bound network traffic and making that all play nicely together. Not just across the network but bringing in things like conditional access. So you have an identity layer and an identity boundary plus a network boundary plus an endpoint boundary on your clients themselves. And we'll talk about what some of those clients are that are out there and what's capable for things today.
So if somebody looks at this and they're like, haven't I seen this game before? This sounds a lot like defender for cloud apps and maybe CASB, right? For access to AWS and GCP and these external SaaS services like Slack and Dropbox, that sounds unique to me. Intimately familiar, like how we've been down that path before.
You're talking about things like proxying connections and having, having connectivity through a network layer back to on-premises resources, but being able to inject an identity boundary through conditional access that sounds a lot like app proxy connector, and, and some of the things that go into that. So if you've been in this space a while, you're like, yeah, something doesn't smell right here. You're absolutely right. Like this is still under the hood.
The things that you understood and and the way you understood them to be with things like defender for Cloud x Defender for cloud apps rather that whole CASB solution, sorry cloud access security broker and putting all that together. Things like app proxy support through Azure AD and app proxy connectors that guess what that's been here and and it's brought up to snuff under this suite of products with slightly different names.
But I think if you look at the underlying architecture and the way those things compose all the same, it's just kind of new names and potentially bringing all these things together as a suite of services under one banner that you can go ahead and just live a certain kind of life through depending on what kind of life you wanna live, right? Do you want to do things like monitor traffic externally? Do you wanna monitor traffic internally?
Do you want to have uh, those additional operational and access controls on top of things? So if you're looking in your, hey in my environment I already do the network thing. Like I have forwarding proxies and I have all the things in place I need that protect me across the various OSI layers on premises and my outbound traffic and things like that.
Maybe not the solution for you, but if you're looking for more than what you get out of maybe your traditional on-premises solutions and tight integration across the Microsoft stack and I'm, and I'm intentional there when I say across the Microsoft stack because it's not just SaaS services in the Microsoft stack like M 365 or Dynamics.
It's things like Azure and access to Azure and some of these other internet connected suites of things that that exist out there in that stack it, it marries all of those together. Puts them in a nice little bundle or bucket for you both from a functionality perspective and from an administration perspective. - And I would say like you mentioned the app proxy stuff, right?
And the CS B stuff. I think this is not, I would go a step back from what you said where it's like bundling those in my impression of this and from the playing I've done, it's like an entirely new process.
Instead of bundling those together, I would almost, I wanna be careful saying this because I don't want somebody to go out and say Ben and Scott said this was V two, this is almost, it appears to be, we'll say the appearance from everything I've seen like a V two of app proxy and of CASB where my understanding of CASB and some of the uh, cloud app protection and the stuff that's there today relied on like the defender endpoint, right?
Because somehow the existing cloud app security stuff had to reach into your machine and see what, what the traffic is, where are you going, what are you visiting all of that where instead of still using defender for endpoint for global secure access and you said we'll talk about this, there's actually a new agent that you install on your device for these where it's instead of like defender sitting there monitoring it, this is almost like setting up
and it may even be doing similar in the background setting up A VPN on your client devices and I feel like Defender Endpoint was sitting off to the side watching what you were doing and sending some of that back.
This is literally routing all of your traffic through a secure VPN or secure connection through this global secure access to do things like, and it's probably similar to that proxy but I think more of the CASB stuff, I don't know that I wanna say more invasive but it's watching a lot more of that network traffic because it's routing it all through this global secure access endpoint. So - The CASB stuff was invasive as well, right? It was a local agent.
Your traffic absolutely passed through that thing for monitoring. I think the big difference here is it is much more VP nish at the end of the day, right? Like you are doing a virtual private network effectively. Yep. And the connectivity for that VPN if you think about performance of A VPN and having to tunnel and connects through an endpoint where those endpoints sit has a big, no pun intended like network effect and knock on effect to customer experience and client latency.
And I think those were potential issues with some of the kind of traditional CASB approach and there was also just the general, hey like what do I get out of doing this solution? So like that CASB approach was really good for routing and monitoring for external SaaS solutions. It wasn't good for the app proxy thing 'cause you still needed the app proxy thing on the side.
What this does with global secure access and the client, what it lets you do is it lets you basically say, hey now that all this stuff is under one suite of services, let me have a singular client and then I can take that client and I can affect change in client behavior by pushing traffic profiles so I can have a traffic profile from Microsoft 365, I can have a traffic profile for my internal applications, that kind of thing.
And then it all passes through that one agent, that VPN connection, right? Which is giving you a tunnel back to what's effectively the Microsoft wan. So this is another like kind of thing, right?
As as when I talk about like limitations of the old stuff versus the new stuff, now you're given connectivity just straight up back to the MS WAN N which is really interesting because Microsoft, for folks who go out and look at the side or like their networking geeks has a massive WAN like massive network, tons of dark fiber. If you think about the way like Azure regions and Microsoft 365 regions are all connected together.
Like there's a ton of bandwidth and a ton of capabilities there just within the core network, let alone all the segments for that network and where they push out to, especially on the edge with pops and and things like that. So you're basically talking about like A VPN that's smart enough to locally route to the closest edge site And an edge site could be a region, it could be a pop, but you're looking at all up 140 ish regions. So that lets you know that it's more than just Azure, right?
Because Azure has give or take - 60 ish, right? - I can never remember the exact number because there's all sorts of like canaries and E UAPs and things like that. Yeah, it's on the order of 60 ish, 60 to 70, something like that. But way more regions here plus all the pops that exist out there or all the edge sites for that wan. So 140 plus regions, 190 plus pops all ready to go kind of sitting there.
So hopefully, and from what I've seen of this uh and experienced with it, like the knock on effects of things like client latency, they're vastly diminished in this solution versus what I used to encounter in the CASB world. But the cool thing is even for app proxy connections, things like that because now you have the VPN tunnel between your client and that edge site that can broker everything up. It can pass it through the WAN for evaluation by being passed through the WAN for evaluation.
And this is where I was saying that graphic maybe it wasn't the greatest thing 'cause really you wanted like there wanted there to be like a big circle around the whole thing. Yep. Which included stuff like conditional access in it. So hey, how, how do I take and put conditional access in front of an on-premises app? Have you been able to do that in the past? Absolutely. Did it require additional functionality and was it rolled up into a singular solution? No, not so much, right?
That that, that was the friction and things that came along with it. You're picking that piece up here. This new client effectively gives you VPN plus a traffic filter that can monitor both for internal and external bound traffic based on profiles that you can configure. And then based on the destination of that traffic, then you get all the other operational things on top of it that you might want like identity and conditional access.
- This is where like when you go in and do some of those profiles, we were looking at this the other day, now I'm gonna have to remember where all my profile settings are. You do have those different profiles so you can go create those profiles for your internet traffic and for your Microsoft 365 traffic.
And one of the interesting things that I saw in here when you're going and setting up some of those profiles is that it starts giving you some additional functionality and now I'm losing all my connectors traffic forwarding. I think that's where my profiles are. Yes. Like you can go into your Microsoft 365 profile and set up different policies within it too that let you go in and set up like what exchange traffic is going.
It gives you all the fully qualified domain names, the IP subnets of your Outlook traffic and SharePoint and OneDrive and some of your common office applications. But this is also now because of running through this VPN, there's options to even go in and enable a lot more logging of your Microsoft 365 traffic. And this is one thing that's still slowly rolling out where you can go in and get like enhanced logging and we've talked about some of the logs that are available.
It's 'cause you enhanced logging I think of exchange and SharePoint like teams is still coming. I'd imagine there's a bunch of other stuff still coming as well. And then for internet access web content filtering has been there for a while in Microsoft 365 and this is another one that gets rolled in.
But now with your internet access profile, you can go into and do things like web content filtering policies where if you wanna go in and create a policy to block certain websites or to block different categories of websites you can go, it brings in that web traffic filtering that you, it's buried down within defender I think in the security center. But it brings that into here too. So you can go start filtering that web content.
And this is another one I've had clients ask about, especially over the last few years when everybody's starting to work remotely. A lot of this used to be done at the firewall level, right? People would've devices, DNS, custom, DNS, all kinds of things to filter traffic.
If you were internal to the network with everybody working from home three or four years ago, the number of calls I had about help, we overloaded our VPN because we're still requiring everybody to go to VPN for some of this functionality and it just couldn't support 6,000 people all working from home over VPN.
This goes in and takes care of a lot of that because now instead of to your point Scott, instead of relying on your VPN or your teeny tiny WAN setup, respective to what Microsoft's network is, you can get a lot of that performance without having to rely on premises VPNs or on premises networks to do a lot of this web content filtering, advanced logging, all of that is a lot of that type of functionality begins
to roll out and come to this global secure access. The - Scale component is interesting that call out to 140 plus regions and 190 edge sites, that's not just about things like client latency, it's also about capacity of the Microsoft WAN in, I don't know many folks who are running, running around even in their local environments with petabytes per second of capacity.
, right? like we're not talking gigabits a second year, we're not talking megabits a second, we're talking like PETA bit scale like petabits a second and the contention issues and all the other things that can come into play there do go away, right? Like your constraint effectively becomes like the client and does my client have internet access? And that's a problem that you've had to solve the entire way along anyway. So that constraint really hasn't moved around for you in a meaningful way.
Some of this stuff's a little weird to be honest with you. I don't understand why log enrichment is tied to this client because if you look at the logs and what event enrichment actually means , it's things for SharePoint online having an event for say SharePoint for file deleted, you should already have a file deleted event for teams. It's about having app installed for exchange. It's about new inbox rule, new transport rule things.
There's no magic sauce there that couldn't be enabled in the SaaS service anyway. Like it's a weird gatekeeping kind of thing to me. But I don't know, - I want go in and look at more I encountered, this is another episode. They - Published the schema for what they enrich and watch the what they push out there. And if you look at the enrichment schema, it's, - Oh look at - This. It's not a very special thing. Like, like you, you will not be enthralled when you see that list.
- Do you feel overwhelmed by trying to manage your Office 365 environment? Are you facing unexpected issues that disrupt your company's productivity? Intelligent is here to help much like you take your car to the mechanic that has specialized knowledge on how to best keep your car running intelligent helps you with your Microsoft cloud environment because that's their expertise.
Intelligent keeps up with the latest updates in the Microsoft cloud to help keep your business running smoothly and ahead of the curve. Whether you are a small organization with just a few users up to an organization of several thousand employees, they want to partner with you to implement and administer your Microsoft Cloud technology, visit them at intelligent.com/podcast.
That's I-N-T-E-L-L-I-G-I-N k.com/podcast for more information or to schedule a 30 minute call to get started with them today. Remember intelligent focuses on the Microsoft cloud so you can focus on your business. So I'm wondering though Scott, like looking through this like you said for SharePoint, for OneDrive, file deleted file downloaded, file recycled, those are absolutely already logged.
Does this somehow give you, and this article doesn't have it, - Why would it be documented and tell you that - Idea? Oh lemme talk about documentation, how I feel about it right now. Does it give you additional details about it from the perspective of a new inbox rule is created right now. You can see the endpoint that it's created from.
Maybe you can see the client, but does it give you not so much, these are new activities that are logged but it's additional information about these activities that they're able to log because it's watching the network traffic. I don't, again, it doesn't say because to your point, why would it be documented? But it talks about enrichment of these logs, not necessarily new logging activities.
I wonder what are those additional details that you're getting when these are enrich when these logs or these operations are enriched with data from global secure access. If - I'm remembering right, it's been a hot minute side looks so yeah it is additional details about the clients and things like that. It's also a little weird the way you pump these out and this has been a moving target as they shift around the way audit logs in general are, are manifested within the admin center.
But this brings it under the same banner as things like your regular audit logs sign-in logs, things like that where you can pump it out to log analytics or send it to event hubs and very much like the Azure ish diagnostic setting kind of thing. If you think about like configuring a diagnostic setting, it's also a little bit weird and I haven't had a chance to play around with it in a mixed environment.
But if you go and configure this and look to light it up, so if you went into your tenancy, you should see this within your tenant, you should have diagnostic logs someplace in there. I - Don't see it. Dashboards see and this is, - It's under identity. So go under the identity admin center. It's like monitoring and health diagnostics, something like that. - Uh, monitoring and health diagnostic settings. - This looks a lot like Azure all of a sudden - It is.
I mean this is your diagnostic logs from Yep, this looks like diagnostic logs essentially Diagnostic sign-in - Logs, that's Sentinel. Yep. So go ahead and click add diagnostic setting there. So in this experience now you have your audit logs, you have your sign-in logs. If you scroll down towards the bottom you have a separate log category for the enriched logs.
Yeah. So with this kind of flexibility, like you could even do things like maybe take your enrich logs versus your sign-in logs and send those off to different log analytics workspaces. Maybe you wanna evaluate in another one in another place like Splunk or something like that. Hey, I'm gonna send my sign-in logs over here to this event hub and eventually route 'em through to Splunk with my custom connector. I'm going to pump my enrich logs over to this log analytics workspace.
I'm gonna send these things over to a storage account just for archiving whatever it happens to be. You can do all those on that side. I don't know, diagnostics in M 365 continue to be confusing to me. I don't understand why they're gate kept behind additional licensing and additional features and functionality. Frankly, observability and logging should be free , right? Like I get it costs money to store text someplace, but folks should figure, figure that out, right?
If it's a, if it's a true value add thing, okay, if it's got enriched in it and it actually enriches the experience, sure give that to me. But if it's out of the box, like just give it to me out of the box, right? It should be there for me ready to go. - I have a whole nother topic we could talk about on another podcast around this that came up with a client around auditing exchange activities.
This one was fascinating that I did not realize, but it's absolutely going down a different rabbit hole that has nothing to do with global - Secure access. Write that down. All right, we'll take a note, we'll take a note on that, put that in the parking lot, we'll come back to it later. So anyways, so these clients, right? It is an application that gets installed that effectively deploys its capability to do a VPN tunnel. It is Windows and Android only today.
So all this stuff's in preview like moving target preview is not production, blah blah blah. All that good stuff. For disclaimers, I think Windows clients are probably the most interesting, the most turnkey for M 365 subscribers, right? Who are probably de deploying things like office onto their desktops and and wanting to track and monitor all that. So Windows, windows clients 64 bit only.
If you're operating in a mode with, you've got mixed mode like enterra joined, hybrid joined devices, registered devices, all those kinds of things. Registered devices don't qualify today for that. And the deployment of the client requires enter ID P ones, which is another important one to call out. So there is, it's not just hey like I need to deploy the client.
Cool thing is you can deploy the client through things like we talked about Intune for what seems like three months and in one of those Intune reviews that we did, we talked about things like app deployments. So you could totally push out this through Intune and have it come down and then it gets its configuration based on cloud service and things like that. Fairly flexible, super easy to set up. Oh, one last note on setup here. Weird one but really not that weird.
It requires admin, admin access to install on Windows clients at least. And it makes sense, right? You're deploying a new VPN, you're deploying a new network filter on top of it. So keep that in mind. So client deployment is actually super lightweight. I think it's just lack of support in places, right? 64 bit only doesn't support arms. 64 - Doesn't support multi-session. This is another interesting one.
If you do an A VD, it doesn't support multi-session and it doesn't support multiple user sessions on the same device from RDP. - It's another limitation that's out there. It does support Windows 365 dev box. There's no explicit callouts for supportive things like dev box or anything like that. I imagine that it works over there. I, I'd have to spin up a dev box to try it out.
Like I, I can't think of any restriction that would be there other than maybe a supportability but it's all preview today so support's gonna be a a weird one for you anyway. - And I'm running this like I'm running it on my Windows 365 cloud PC because that's technically a single session A VD and I think dev box would fall into that same boat dev box for all practical purposes is a single session a VD environment. So it should work on those.
I would say you mentioned Windows and Mac or Windows and Android, Mac and iOS is coming, it is in private preview yet. So you have to like I imagine Mac and iOS, they're maybe running into the whole test flight limitations when you're doing stuff in private preview for those that Apple can sometimes cap how many people you can have in a beta test environment. So those are coming, I'm surprised they're still in private preview.
I would hope they would come out soon 'cause I want to try it on my Mac so it is, yeah, like you said, the client's super easy to deploy. I deployed it and then once it's deployed you just log in with your M 365 account. So I logged my account the other day and then I went and logged in and like I had global secure access popup and I had to go re-authenticate with my user account , which I guess that one's an interesting one too Scott, because I have not tested this.
Part of the point of this is to monitor all that web traffic, but if I can sign out of global secure access, can I essentially bypass it by signing out of my account for global secure access or are there ways, and I haven't looked at this yet, to like block internet traffic if you're signed out of your global secure access client, - I've not seen a way to block it. I had a very similar question. It's weird, it's early days for this one.
I, I think it is definitely one of those like preview, not for production but play around with IT kinds of things. It's a little weird. It's a little strange. I do think and and the reason we're covering it, I think it's worth getting hands on with - Absolutely. - It's going to be I think a pretty turnkey capability for a segment to, or a subset of organizations that sit out there.
It's also another great example of hey, let's take the disparate pieces and parts and pull them together and put them into one place. Like for you in in your screen share. Let's go back to the traffic forwarding stuff - That was tr not traffic logs. Traffic forwarding was the connections. Yep, yep. - So like you take a look at that like you turn on your M 365 profiles. So let's take that one as example. Go in and and and view that one there and view my traffic.
So you have these policies and the policies that you've enabled. So these are all canned, right? This was brought in just by saying hey I'm gonna bring in M 365. There was nothing you couldn't have done here on your own other than Microsoft bundled it all together for you. Which is nice because tracking the IP subnets for M 365 as a service right, isn't something you want to do uh, on your own, but there's a ton of flexibility here in the way that like this manifests and comes together.
So you could take like SharePoint for example, say you wanna drive your exchange traffic through the tunnel so you're set to forward now for all of those things over TCP. But if you take like your first FQDN role like star sharepoint.com, that that wild card and bring down the dropdown, you can actually bypass just for the FQDN, you can bypass by IP subnet, things like that.
So you can get like super granular within these and then you have the same set of controls for your internet bound access as well, internet and both your internet and your private access. So it's super helpful to see like the way like Microsoft composed the rules for M 365 and how that stuff came together and then you can think about potentially modeling that into your own stuff. There's also the ability, if you go back yeah, - No though for internet, yeah.
That they give you, so they give you that option for Microsoft 365. I don't think, and this is to your preview point that you can go in and tweak your internet access profile yet. I don't, this is tr security policies. - I wouldn't be surprised to see it in the future. I imagine a lot of it is is scaling things, right?
Let's say you might wanna, you might wanna forward for, I don't know, pick a website you might wanna forward for stuff to, to Reddit for evaluation but you might wanna bypass for Bing, right? Just for your online searches. Like I, I think that capability will come and probably is the scale component. The other thing I should mention with traffic forwarding, if you go back to traffic forwarding again and like the M 365 1, so you've got that linked conditional access policies.
So you can link conditional access policies to each profile as well, which is super flexible again, like it's basically making a lot of this stuff like as much as like conditional access policies were next exercise, this is just next . - Yeah. - And done it, it simplifies that deployment model even further.
- Yep. And one of the things that they've brought up, we haven't talked about it yet, we could probably talk about this more, is you like with conditional access and another thing that Microsoft is working towards with this and this can help with is, and I've seen this come up more and more lately in different things that Meryl, we had him on the podcast, he created a video on it is token stealing, right?
Like people creating sessions, you get the whole man in the middle attacks that are stealing session tokens by routing all of your traffic this way too. That can, this also goes a long ways with helping with token stealing because you're now essentially going through this end-to-end encrypted tunnel from your device over that VPN connection in an encrypted manner.
And I think, I can't remember all the conditional access policies where you can essentially say if somebody's going to connect to my Microsoft 365 applications in those conditional access policies, they are going to have to come through global secure access so that I know they're coming into my environment in an encrypted manner and that traffic and that interaction is be gonna be secure. I think that's a conditional access policy.
I'm not a hundred percent sure, but that is another, I would say benefit of this. 'cause we talked about a lot of the logging the profiles, but a, there's that security aspect of this as well. Yeah, - I wanna do it as like the old, like Steve Jobs strip , like when he introduced the iPhone, oh it's the internet plus video and, and all those kinda things. No, it's identity, it's networking , it's, what is it? Identity networking. Yeah, it's networking, it's endpoint access, right?
Like you put these three things together and you have uh, global secure access, which is part of this security service Edge S-S-S-S-S-E suite kind of thing. So it's a mouthful on the front. I would encourage folks if you're listening to this, like just go like pop up in a web browser and check it out. Even if you go look at the docs or you just browse through like your admin center and M 365. This is by far one of the easier like security solutions to configure out there.
Like it, it, it really is fairly self-explanatory in what it's trying to do and, and what's happening and there's not a ton of machination going on. So it's super easy to wrap your head around and then once you can do that, I think like it does like just bring value. Like it's one of those like self-inflicting value kind of services. - Yep. And you will encounter stuff that, yeah, it's preview, I think my audit logs I go click on like audit logs and it says we're hard at work developing
this feature. Be patient - We'll see in the future - . Yeah there's some IT teases functionality because the menu items are there and as you click through it you'll get, oh we're still developing this or we're still developing that. But to your point, it's what absolutely worth playing with. Clicking on a few of the check boxes, some of the profiles set up a couple of your test clients to route traffic through it and it's fascinating. Traffic logs is one thing that is there.
This does not go through my production machine, but it has 28,000 connections and seven and a half thousand accesses to Microsoft 365 20,000 times I've access to the internet. And it gives you like even endpoints within Microsoft that you're connecting to where I can see connections to East US or to like edge.microsoft.com. It's interesting to just go look through it. Here's a Grammarly where I connected a Grammarly endpoint from my Windows device.
So it has got absolutely worth turning this on and starting to play with it for certain clients and see if it's something that, it's something I would keep an eye on and really consider rolling out in certain cases as it comes outta preview for sure. - So I think that takes us through our whirlwind tour of Global Secure Access coming to an M three, no coming to an enterra ID tenant near you. - . Yeah. 'cause I guess technically you don't need to do M 365 if you're just doing Enterra and Azure.
You could go get Enterra ad premium plan one and use this for, if - You're just doing enterra as an identity store and AWS you could do this, right? I I I think it's about where you find the value in it without having to be a wholesale consumer of all Microsoft Services. That being said, if you're doing M 365, this is a kind of like a big natural fit kind of thing, especially for those customers who, and I imagine this is still the case.
This used to be the case when I was doing a lot of Office 365 and M 365 and customer deployments in my consulting days. Everybody wanted a private version of SharePoint online. Yep. . So this kind of gives you that click stop and, and that next FU piece of like warm fuzzies about your connectivity for your organization and your clients and there's a whole lot of what's in it for me there versus what's in it for Microsoft, which is nice to see.
Yeah, it really does further that. Alright, - Thanks Scott. That was a good one. Yeah, now it is time for the weekend after a couple more meetings. - . It's getting there slowly but - Surely we'll get there eventually. - I got two more to go and then it's off for Margaritas and CES tonight, so I'm looking forward to that. All right, - Go enjoy your weekend and we will talk to you again soon. All - Right, thanks Ben.
- Thanks Scott. If you enjoyed the podcast, go leave us a five star rating in iTunes. It helps to get the word out so more IT pros can learn about Office 365 and Azure. If you have any questions you want us to address on the show or feedback about the show, feel free to reach out via our website, Twitter, or Facebook. Thanks again for listening and have a great day.