Introduction
In today’s digital age, securing internet access is crucial for every organization. Therefore, Microsoft Entra Internet Access, part of the Security Service Edge (SSE) framework, acts as a robust cloud-based security proxy. Notably, it protects organizations by enforcing policies, filtering web traffic, and blocking threats—all while ensuring a seamless user experience.
Moreover, built on Zero Trust principles, it provides secure, identity-aware, and compliant internet access. Consequently, this empowers organizations to enhance their security posture and confidently navigate an increasingly hybrid and cloud-driven world.
Now, get ready for an exciting journey as I take you through a detailed step-by-step guide on deploying this feature! In this article, I’ll not only walk you through the process but also share my personal experiences along the way. So, let’s dive in!
What is Microsoft Entra Internet Access?
When you hear the name of the product, it’s tempting to think that Microsoft is diving into the world of internet connectivity services. Initially, this interpretation makes perfect sense. However, it’s important to clarify that the product doesn’t aim to provide the usual internet services that users might expect. Instead, it offers something quite different, challenging our assumptions and opening new possibilities!
When it’s enabled, it typically routes all your internet traffic through Microsoft’s Secure Web Gateway. This gateway provides a layer of security by filtering and monitoring web traffic, enforcing security policies, and protecting against threats like malware and phishing attacks.
It’s like having a digital bouncer at the entrance of your network, making sure only safe and approved traffic gets through while keeping out the unwanted guests.
Benefits
Please look at the tabs that show the top reasons for adopting this feature.
- Implements Zero Trust principles, ensuring all internet requests are authenticated and authorized.
- Protects against malicious websites, phishing, and internet-borne threats.
- Blocks access to harmful domains using advanced DNS security.
- Eliminates reliance on on-premises firewalls and proxy appliances.
- Scales dynamically with usage and integrates seamlessly with Microsoft Azure and Microsoft 365.
- Reduces latency by using Microsoft’s global network backbone for optimized performance.
- Ensures secure and fast internet access for improved productivity.
- Centralized management through the Microsoft Entra Admin Center.
- Unified policies across users, devices, and locations with seamless integration into the Entra ecosystem.
- Enforce acceptable use policies to align with regulatory requirements.
- Detailed logging and reporting for audits and compliance frameworks like GDPR, HIPAA, and ISO 27001.
- Provides consistent security policies for users regardless of location or device.
- Secures internet access for remote workers, enabling hybrid workforce flexibility.
- Eliminates the need for expensive on-premises security hardware.
- Reduces operational burden by automating updates and streamlining IT operations.
Features
Microsoft Entra Internet Access offers several key features to help you manage and secure Internet access. Please see the tabs for more information.
Provides visualizations of network traffic, including internet and SaaS application usage
Displays the number of active devices and users within your network
Identifies suspicious activities or trends in network data, helping you respond to potential threats quickly
Shows usage patterns across different traffic types, helping you understand how your network is being utilized.
Highlights the most accessed websites and applications, giving insights into user behavior.
Monitors access patterns across different tenants, ensuring secure and compliant access.
Displays the most popular website categories accessed by users
Allows you to create and manage security profiles that group filtering policies and link them to Conditional Access policies.
Enforces policies based on logical ordering of priority numbers, ensuring consistent application of security rules
Provides detailed logs of internet traffic, including policy enforcement details.
Prerequisites
Please make sure you meet the following prerequisites to enable this feature. You can click the tabs for more information.
- A subscription to either Microsoft Entra ID P1 or P2 is required.
- These licenses are available as standalone products or included with certain Microsoft 365 plans.
This suite includes Microsoft Entra Internet Access and requires a subscription to Microsoft Entra ID P1 or P2.
A Cloud Account with Global Secure Access Administrator role in Microsoft Entra ID.
Implementation Steps
To get started, follow the steps below to enable the Microsoft Entra Internet Access feature.
Step 1 : Enable Internet Access Profile
- The first step is to activate Global Secure Access on your tenant. Microsoft says you need Entra ID P1 or P2 to activate this feature.
- If you have P1, you can enable only the Microsoft Traffic Profile. However, you won’t get the Private Access or Internet Access profiles, which require an additional license. You can buy Microsoft Entra Suite (Bundle) to get both features.
- Please look at my article, which shows the steps to activate the GSA feature on your Entra tenant.
- After you enable GSA, sign in to the Microsoft Entra Admin portal using Global Admin or Global Secure Admin role.
- Then, navigate to Global Secure Access -> Connect -> Traffic forwarding and turn on “Internet access profile.”
Step 2: Validate the Settings
Since we have enabled this profile, let’s look at the tabs that show the available settings in the Internet Access profile.
This means this profile only captures internet traffic except traffic for Microsoft 365 services.
By default this has three polices.
- Custom Bypass: This policy contains user-defined traffic or endpoints excluded from the Internet traffic profile. For example, you exclude traffic such as VPN endpoints, private IP ranges, and endpoints that leverage network Access Control Lists.
- Default Bypass : This policy includes predefined traffic that the Internet traffic profile doesn’t acquire, such as private IP ranges. You can’t change rules in this policy.
- Default Acquire: This policy defines traffic that gets acquired by the Internet traffic profile. It includes all internet traffic on ports 80 and 443 over TCP by default. This policy takes the lowest precedence after all bypass rules are evaluated.
This allows you to enforce security controls and access policies for network traffic.
You can assign this profile to users and groups.
This allows you to assign remote networks, such as branch office locations, to the traffic forwarding profile, ensuring that users in these remote networks can securely access the internet and Microsoft services through the Global Secure Access service.
Step 3: Assign the Internet Access Profile to Users
Our next step is to assign this profile to users to redirect internet traffic to Secure Web Gateway. You can do it manually by adding users or by using groups. In my case, I assigned it to the group “Internet Access profile.”
Step 4: Enable Universal Tenant Restrictions (Recommended)
To improve security, we need to enable Universal Tenant Restrictions. This lets administrators decide whether their users can use accounts from outside organizations to access resources while connected to their own organization’s network or devices. Click on each tab to see its features.
It allows organizations to restrict access to external applications and accounts, ensuring that users can only access approved resources.
Universal Tenant Restrictions enforce policies at both the authentication plane (during sign-in) and the data plane (after sign-in)
It works across different devices, browsers, and networks, providing consistent policy application.
By blocking unsanctioned external accounts and apps, it helps prevent unauthorized access and data leaks.
To enable this feature, on the Entra Admin portal ->Navigate to Global Secure Access->Settings->Session Management–>Turn on “Enable Tenant Restrictions for Entra ID (covering all cloud apps).”
To make this feature work, the administrator must set some configuration on both the Server-Cloud and the user’s device. In this demonstration, I’m using a feature called “Tenant Restriction V2” along with the Global Secure Access Client. This setup helps stop users from accessing external applications using external accounts on your network or devices.
Step 5: Enable CA Signaling for Entra ID (Recommended)
We also need to enable the critical feature to capture the original IP address of the source.
Step 6: Install the Global Secure Access Client Software
There are several methods to install the GSA client software on Windows 10 or 11 devices. You can install it manually or automatically through Intune. In this demo, I created an Intune app policy for the deployment. Please take a look at the policy details in the video.
Step 7: Redirect the Internet Traffic From The Compliant Devices to SSE
Instead of sending internet traffic from all devices to Secure Web Gateway, you could allow only traffic from compliant devices. Conditional Access Policy makes this possible. You can create one along with a device complaint policy similar to the one I created for this demo.
Proof Of Concept
Before testing the Microsoft Entra Internet Access feature, let’s recap our completed tasks. So far, we have:
- activated Global Secure Access
- turn On “Internet Access Profile”
- assigned users to the profile
- deployed Global Secure Access client software on the Windows 10/11 Devices
- enabled Universal Tenant Restrictions
- enabled Conditional Access Signalling for Entra ID
- created a CA Policy to redirect internet traffic from the compliant devices
Our next step is to test Entra Internet Access with a few scenarios. There, we will create a web content filtering policy and security Profile and verify that the policy is working as expected. So, Let’s get started.
Scenario 1: Create a Baseline Policy to Restrict Access to Websites Categorized as High-Risk
In this scenario, we will enforce a policy to block websites deemed risky based on the organization’s standard block list. As a result, any internet traffic from Global Secure Access clients attempting to access these websites will be restricted.
Step 1: Create a web filtering policy
To create a web filtering policy, sign in to the Entra Admin Portal and follow the steps outlined in the video.
- In the Basics section, you provide the policy’s Name, description, and Action.
- In the Policy Rules section, provide the rule’s name and select the risky categories.
Step 2: Modify the baseline security policy profile
I have created a security profile for my tenant with a priority of 65,000. This policy applies to all internet traffic from GSA clients and networks. You do not need to link this profile to any conditional access policy, which is not required.
If you don’t find a baseline policy in your tenant, you can create one with a priority of 65,000. Since I already have one, I only need to link the Web Content Filter policy to this security profile.
Step 3: Test the policy
- Please log in to the Windows 11 machine where the Global Secure Access Client software is installed.
- Once you log in, try to access the few risky websites and confirm the access is blocked.
- Verify the activity in the traffic log.
Scenario 2: Block access to websites by category for a specific group of users
In this scenario, we will restrict access to internet sites based on specific categories, including Professional Networking, Streaming Media and Downloads, and Job Search.
Step 1 : Create a Web Filtering Policy
Follow the steps in the video to create web filtering policy.
Step 2: Create a security profile policy
Follow the steps in the video to create a security profile policy.
Step 3 : Create a Conditional Access Policy
Follow the instruction in the video to create a CA policy for the targeted users and associate the security policy profile.
Step 4 : Test the policy
Finally, test the policy by attempting to access the website and confirm the access is blocked.
Recent Comments