Entra SSE Part 2: Building the Zero Trust Defense That Stopped the Breach

The attacker pivots to exfiltrate data via unmanaged SaaS apps. Can GSA stop them? Spoiler: Yes—and we’ll show you how.

Scene 3: The Pivot

The attacker tries to upload sensitive files to a personal Dropbox account.

Legacy VPN? Wouldn’t stop it. Entra GSA? Already enforcing app-based segmentation and real-time inspection.

Alex watches as the Conditional Access engine evaluates:

  • Device compliance
  • User risk score
  • App sensitivity

Result? Block.

Step 1: Conditional Access Everywhere

Block Unmanaged Devices from Cloud Storage

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"

# Get or create Finance user group
$financeGroup = Get-MgGroup -Filter "displayName eq 'Finance-Users'" -Top 1

# Create Conditional Access Policy
$params = @{
    DisplayName = "Block Unmanaged Devices - Cloud Storage"
    State = "enabledForReportingButNotEnforced"  # Use "enabled" for production
    Conditions = @{
        Applications = @{
            IncludeApplications = @("All")  # Or specific app IDs for Dropbox, Box, etc.
        }
        Users = @{
            IncludeGroups = @($financeGroup.Id)
        }
        ClientAppTypes = @("browser", "mobileAppsAndDesktopClients")
    }
    GrantControls = @{
        Operator = "OR"
        BuiltInControls = @("compliantDevice", "domainJoinedDevice")
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params
What this does:
  • Blocks access to cloud apps from unmanaged devices
  • Allows only compliant or domain-joined devices
  • Applies to Finance users group
  • Starts in Report-Only mode for testing

Step 2: Private Access Without VPN

Publish Internal Apps via Entra Private Access

# Connect with Network Access permissions
Connect-MgGraph -Scopes "NetworkAccess.ReadWrite.All"

# Get Private Access forwarding profile
$privateProfile = Get-MgBetaNetworkAccessForwardingProfile -All | 
    Where-Object { $_.Name -like "*Private*" } | 
    Select-Object -First 1

# Configure application segment for internal finance app
$appParams = @{
    Name = "Finance Portal"
    Description = "Internal finance application"
    Fqdn = "finance.internal.company.com"
    Ports = @(
        @{
            Port = 443
            Protocol = "TCP"
        }
    )
}

# Note: API structure may vary - check latest Microsoft Graph documentation
# New-MgBetaNetworkAccessForwardingProfilePolicy -ForwardingProfileId $privateProfile.Id -BodyParameter $appParams
Benefits:
  • No VPN required – users access internal apps securely from anywhere
  • Per-app access control with Conditional Access integration
  • Requires compliant device + MFA
  • Eliminates VPN attack surface

Step 3: Continuous Monitoring

Query Blocked Sign-ins with PowerShell

# Connect with audit permissions
Connect-MgGraph -Scopes "AuditLog.Read.All"

# Helper function for datetime formatting
function Get-GraphDateTimeFormat {
    param([DateTime]$DateTime)
    return $DateTime.ToUniversalTime().ToString(
        "yyyy-MM-ddTHH:mm:ss.fffZ", 
        [System.Globalization.CultureInfo]::InvariantCulture
    )
}

# Query sign-ins from last 7 days
$startDate = Get-GraphDateTimeFormat -DateTime (Get-Date).AddDays(-7)
$signIns = Get-MgAuditLogSignIn -Filter "createdDateTime ge $startDate" -All

# Filter for CA blocks
$blockedByCA = $signIns | Where-Object {
    $_.ConditionalAccessStatus -eq "failure"
}

# Summarize blocked attempts
$blockedByCA | Group-Object AppDisplayName | 
    Select-Object Count, @{N='Application';E={$_.Name}} |
    Sort-Object Count -Descending |
    Format-Table -AutoSize

Query with KQL in Sentinel

// Detect risky sign-ins blocked by GSA Conditional Access
SigninLogs
| where TimeGenerated > ago(7d)
| where ConditionalAccessStatus == "failure"
| summarize BlockedAttempts = count() by AppDisplayName, tostring(LocationDetails.city)
| sort by BlockedAttempts desc
| take 10

Step 4: Advanced Policies

Policy 1: Enforce Phishing-Resistant MFA

# Get phishing-resistant authentication strength
$authStrengths = Get-MgPolicyAuthenticationStrengthPolicy -All
$phishingResistant = $authStrengths | 
    Where-Object { $_.DisplayName -like "*Phishing*resistant*" } | 
    Select-Object -First 1

# Create policy for high-risk sign-ins
$params = @{
    DisplayName = "Require FIDO2 for High-Risk Apps"
    State = "enabledForReportingButNotEnforced"
    Conditions = @{
        Applications = @{
            IncludeApplications = @("All")
        }
        Users = @{
            IncludeGroups = @($financeGroup.Id)
        }
        SignInRiskLevels = @("high", "medium")
        ClientAppTypes = @("browser", "mobileAppsAndDesktopClients")
    }
    GrantControls = @{
        Operator = "OR"
        AuthenticationStrength = @{
            Id = $phishingResistant.Id
        }
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params
What this does:
  • Requires FIDO2/passkey for high-risk sign-ins
  • Protects against phishing attacks
  • Applies only when risk is detected
  • No friction for normal users

Policy 2: Monitor and Control SaaS Traffic

# Requires Defender for Cloud Apps licensing
$params = @{
    DisplayName = "Monitor SaaS Access - Finance"
    State = "enabledForReportingButNotEnforced"
    Conditions = @{
        Applications = @{
            IncludeApplications = @("All")  # Or specific cloud storage apps
        }
        Users = @{
            IncludeGroups = @($financeGroup.Id)
        }
        ClientAppTypes = @("browser", "mobileAppsAndDesktopClients")
    }
    GrantControls = @{
        Operator = "OR"
        BuiltInControls = @("mfa")
    }
    SessionControls = @{
        CloudAppSecurity = @{
            CloudAppSecurityType = "monitorOnly"  # or "blockDownloads"
            IsEnabled = $true
        }
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params
What this does:
  • Routes sessions through Defender for Cloud Apps
  • Monitors file uploads/downloads in real-time
  • Can block sensitive data exfiltration
  • Logs all activity for investigation

Configure Session Policies in Defender for Cloud Apps

After creating the Conditional Access policy above, configure session policies in Defender for Cloud Apps portal:

Session Policy Configuration:
  1. Navigate to: Cloud App Security portal → Policies → Session policies
  2. Create new session policy:
    • Policy name: Block Sensitive File Uploads to Personal Cloud
    • Session control type: Control file upload (with inspection)
    • Activity source: Apply to Finance-Users group
    • Files matching: Sensitivity label = «Confidential»
    • Actions: Block with custom message

Custom Block Message:

This file contains sensitive company data and cannot be uploaded to personal cloud storage.

Please use OneDrive for Business: https://yourtenant.sharepoint.com

Contact IT support if you need assistance.

Alternative: Block with GSA Internet Access

For a more aggressive approach, use Entra GSA Internet Access to block personal cloud storage at the network level:

# Enable Internet Access profile
$internetProfile = Get-MgBetaNetworkAccessForwardingProfile -All | 
    Where-Object { $_.TrafficForwardingType -eq "m365" } |
    Select-Object -First 1

# Create FQDN blocking policy
$policyParams = @{
    Name = "Block Personal Cloud Storage"
    Description = "Block Dropbox, Google Drive, personal OneDrive"
    Action = "block"
    RuleType = "fqdn"
    Destinations = @(
        @{ Value = "*.dropbox.com" },
        @{ Value = "drive.google.com" },
        @{ Value = "*.box.com" },
        @{ Value = "onedrive.live.com" }
    )
}

New-MgBetaNetworkAccessForwardingProfilePolicy `
    -ForwardingProfileId $internetProfile.Id `
    -BodyParameter $policyParams
User Experience:
  • User tries to access Dropbox → GSA client blocks at network level
  • Custom block page displays with redirect to corporate OneDrive
  • All attempts logged to Sentinel

Scene 4: The Resolution

Within minutes:

Attacker’s Dropbox upload blocked by session policy

Block notification displayed: «This action violates policy. Use OneDrive for Business instead.»

SOC receives automated alert in Sentinel with full context:

  • User identity and risk score
  • File metadata and sensitivity
  • Device compliance status
  • Recommended actions

The attacker? Stopped cold.The network? Zero Trust enforced globally.

💡 Why This Matters

This isn’t theory. This is production-ready Zero Trust with Entra GSA.

Real-World Impact:

  • No VPN complexity – Users work from anywhere securely
  • Unified policy engine – One Conditional Access for all apps
  • Real-time protection – Blocks happen instantly, not after investigation
  • Complete visibility – Every access decision logged and analyzed

Entra GSA vs Zscaler: Real-World Comparison

FactorEntra GSAZscaler
Deployment SpeedIntegrates with Entra ID instantlyRequires separate connector setup
Unified PolicyOne Conditional Access engine for all appsMultiple policy layers to manage
Identity IntegrationNative Azure AD/Entra ID integrationThird-party identity integration
Cost EfficiencyIncluded with Microsoft E5 SecuritySeparate Zscaler subscription
Client RequirementsGSA client for Private/Internet AccessZscaler client required
Session ControlsIntegrated with Defender for Cloud AppsBuilt-in DLP and inspection
When to choose Entra GSA:
  • Existing Microsoft E5 investment
  • Need tight Entra ID integration
  • Want unified policy management
  • Microsoft-first security stack
When to consider Zscaler:
  • Multi-cloud, multi-vendor environment
  • Mature ZPA/ZIA deployment
  • Need specific Zscaler features
  • Non-Microsoft primary stack

🚀 Fortytwo’s Services

We help organizations deploy Entra GSA with confidence:

Zero Trust Strategy Design

  • Architecture planning and roadmap
  • Risk assessment and gap analysis

Entra GSA Deployment

  • Private Access configuration
  • Internet Access policies
  • Client rollout and testing

Policy Automation and Governance

  • Infrastructure-as-Code for CA policies
  • Automated compliance checking
  • Policy drift detection

Integration Services

  • Defender XDR correlation
  • Sentinel SIEM integration
  • Purview DLP orchestration

✅ Next Steps

Ready to get started?
  1. Book a Fortytwo Zero Trust Workshop – Schedule here
  2. Download our GSA Implementation Guide – Best practices and lessons learned
  3. Follow us for real-world success stories and Entra vs Zscaler deep dives
Pilot Program:
  • Week 1-2: Architecture review and planning
  • Week 3-4: Private Access pilot with internal apps
  • Week 5-6: Conditional Access policy deployment
  • Week 7-8: Full rollout with monitoring

🔮 Future Outlook

Zero Trust is evolving with AI:
🤖 AI-driven access decisions using behavioral analytics
  • Microsoft Security Copilot integration
  • Real-time risk scoring with ML
🔐 Agentic AI for identity governance
  • Automated access reviews
  • Smart policy recommendations
🛡️ Predictive threat blocking
  • Pre-emptive blocks based on attack patterns
  • Cross-signal correlation

Fortytwo is leading this transformation – helping enterprises stay ahead of attackers with Microsoft’s latest security innovations.

Ready to Transform Your Security?

Partner with Fortytwo to deploy Microsoft Entra Global Secure Access and achieve true Zero Trust.

Contact us today:

Let’s build your Zero Trust architecture together. 🚀

Technical Resources

Skroll til toppen