Microsoft Entra Internet Access is a cloud-delivered solution that secures access to web content. It protects users, devices, and data from internet threats. This solution is part of Microsoft’s Security Service Edge (SSE), which also includes Microsoft Entra Private Access. This solution is based on the core principles of Zero Trust Network Access (ZTNA), which aims to apply the principle of minimal rights, explicit verification and assumption of an attack. Microsoft Entra Internet Access implements adaptive access controls, simplifies network security, and enables a consistent user experience, regardless of location. Microsoft delivers the solution over the Microsoft Wide Area Network, which covers more than 140 countries and 190 network edge locations.

This blog article shows the configuration steps for Microsoft Entra Internet Access to filter web content by category.

At the time of writing this post, Microsoft Entra Internet Access is in the preview phase. The article is continuously updated.

Table of contents hide
1 Prerequisites and Licensing
1.1 Licences
1.2 Roles
1.3 Devices
2 Onboard Microsoft Entra Internet Access
2.1 Traffic forwarding
2.2 Adaptive Access
3 Microsoft Entra Internet Access configuration
3.1 Web content filtering policies
3.2 Security profiles
3.3 Enable security profiles with Microsoft Entra Conditional Access
4 Onboard Clientsoftware
5 Functional check
6 Troubleshooting
6.1 Microsoft Entra admin center
6.1.1 Traffic logs
6.2 Device
6.2.1 Forwarding profile
6.2.2 Hostname acquisition
6.2.3 Traffic

Prerequisites and Licensing

Licences

During the preview phase, a Microsoft Entra ID P1 licence is required. At the time of writing, it is not yet known which licences, plans or add-ons will be necessary once Microsoft Entra Internet Access is globally available.

Roles

Setting up and managing Microsoft Entra Internet Access requires the Global Secure Access Administrator role.

Setting up and managing conditional Microsoft Entra access requires either the Conditional Access Administrator or Security Administrator role.

Devices

The following requirements apply to the devices:

  • Operating system Windows 10Windows 11 or Android
    Early access available for iOS and MacOS as a private preview.
  • Windows Devices must be either Microsoft Entra joined or Microsoft Entra hybrid joined. Microsoft Entra registered devices aren’t supported.

Onboard Microsoft Entra Internet Access

Microsoft Entra Internet Access is enabled in the Microsoft Entra admin center (https://entra.microsoft.com).

Traffic forwarding

Enable Internet access profile in Global Secure Access > Connect > Traffic forwarding.

Enable Internet Access profile

Adaptive Access

Enable Global Secure Access signaling in Microsoft Entra Conditional Access.

Enable Adaptive Access in Global Secure Access > Global Settings > Session management > Adaptive Access.

Enable Global Secure Access signaling in Conditional Access
Sponsored Links

Microsoft Entra Internet Access configuration

Web content filtering policies

Access to web content is blocked or permitted by category. It is also possible to block specific domains. In this example, access to websites in the category Gambling is blocked.

Create new web filter policy in Global Secure Access > Secure > Web content filtering policies > Create policy.

Create web contenct filtering policy
  1. Enter the Name of the web filter policy, e.g. Gambling
  2. Select the Action of the web filter policy (block or allow)
  3. Click on Next
Create web contenct filtering policy Basic
  1. Select Add Rule
  2. Enter Name of the policy
  3. Set Destination type to webCategory
  4. Select web content filter category Gambling
  5. Create policy with Add
  6. Confirm policy with Next
Create web contenct filtering policy Policy Rules

Check settings and click on Create Policy.

Create web contenct filtering policy review and create

The new web content filtering policy has been created.

Create web contenct filtering policy show policies

Security profiles

The web content filtering policies are organized in the security profiles. Security profiles are enabled user- and context-dependent with Microsoft Entra Conditional Access.

Create new security profile in Global Secure Access > Secure > Security profiles > Create profil.

Create Security profile
  1. Enter Name for the security profile, e.g. Illegal Activities
  2. Set State to enabled
  3. Set the Priority within all security profiles, the lower the value, the higher the priority of the security profile
  4. Click on Next
Create Security profile Basic
  1. Select Add Rule
  2. Enter Name of the policy
  3. Set the Priority within this security profile, the lower the value, the higher the priority of the policy
  4. Set the State of the policy (enabled or disabled).
  5. Add policy with Add
  6. Confirm policy with Next
Create Security profile Link policies

Check settings and click on Create profile.

Create Security profile review and create

The new security profile has been created.

Create Security profile show profiles

Enable security profiles with Microsoft Entra Conditional Access

The security profile are enabled according to your own requirements with Microsoft Entra Conditional Access.

Protection > Conditional Access > Create new policy

Entra Internet Access Conditional Access

Specify users or user groups for Microsoft Entra Conditional Access under Users. If Azure emergency access accounts are used, exclude them from the policy.

Entra Internet Access Conditional Access Users

Microsoft Entra Conditional Access is done under Target resources on Global Secure Access (1) and the traffic profile Internet Traffic (2).

Entra Internet Access Conditional Access Target resources

The previously created security profile is specified in the Session category under Use Global Secure Access security profile.

Entra Internet Access Conditional Access Session

Enable policy and create it with Create.

Entra Internet Access Conditional Access Create

The policy has been created and enabled.

Entra Internet Access Conditional Access Overview

Onboard Clientsoftware

The Global Secure Access Client for using Microsoft Entra Internet Access is released for various operating systems. The deployment of the clientsoftware on Windows is described in the article Microsoft Entra Private Access: Onboard Clientsoftware.

Functional check

In this example, a device with Global Secure Access Client accesses the website https://www.swisslos.ch. The website is assigned to the web filter category Gambling and is blocked by the created security profile and Microsoft Entra Conditional Access.

At the time of writing this blog post, it is not yet possible to customize the notification about blockages.

Edge cant reach this page

Troubleshooting

Microsoft Entra admin center

Traffic logs

The Traffic logs for the various services of Global Secure Access are found in Global Secure Access > Monitor > Traffic logs. The traffic logs offers many filtering options.

Entra Global Secure Access Traffic logs

Device

The Global Secure Access Client offers various options in Advanced diagnostic to check the current status, collect and analyze traffic in real time.

Global Secure Access Client Advanced diagnostics

Forwarding profile

Enabled traffic forwarding profiles for this device are visible under Forwarding profile. When expanding a rule, detailed information about the traffic is displayed.

Global Secure Access Client Forwarding profiles

Hostname acquisition

In Hostname acquisition, the traffic can be collected and checked that the traffic is actually routed through Global Secure Access.

Global Secure Access Client Hostname acquisition

Traffic

Traffic shows the traffic of the device in real time.

Global Secure Access Client traffic

Follow me on LinkedIn and get informed about my latest posts.

Follow on LinkedIn

Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!

Buy me a coffee

Sponsored Links