Uredi

Dijelite putem

Microsoft Global Secure Access Proof of Concept Guidance - Configure Microsoft Entra Internet Access

  • Članak

The Proof of Concept (PoC) guidance in this series of articles helps you to learn, deploy, and test Microsoft Global Secure Access with Microsoft Entra Internet Access, Microsoft Entra Private Access, and the Microsoft traffic profile.

Detailed guidance begins with Introduction to Global Secure Access Proof of Concept Guidance, continues with Configure Microsoft Entra Private Access, and concludes with this article.

This article helps you to configure Microsoft Entra Internet Access to act as a secure web gateway. This solution allows you to configure web content filtering policies to allow or block internet traffic. You can then group those policies into security profiles that you apply to your users with Conditional Access policies.

Note

Apply rules and policies in order of priority. For detailed guidance, refer to the Policy processing logic section of Learn about Microsoft Entra Internet Access.

Microsoft Entra Internet Access configuration steps

To configure Microsoft Entra Internet Access, How to configure Global Secure Access web content filtering provides guidance to perform these high level steps:

  1. Enable internet traffic forwarding.
  2. Create a web content filtering policy.
  3. Create a security profile.
  4. Link the security profile to a Conditional Access policy.
  5. Assign users or groups to the traffic forwarding profile.

Configure Microsoft Entra Internet Access use cases

Configure and test use cases with web content filtering policies, security profiles, and Conditional Access policies. Here are example use cases:

Note

Microsoft doesn't currently support blocking and allowing URLs because it requires Transport Layer Security (TLS) inspection, which isn't yet available.

Create a baseline profile applying to all internet access traffic routed through the service

Perform the following steps to use a baseline profile to secure all traffic in your environment without needing to apply Conditional Access policies.

  1. Create a web content filtering policy that includes rules to allow or block FQDNs or web categories across your user base. For example, create a rule that blocks the Social Networking category to block all social media sites.
  2. Link the web content filtering policy to the baseline profile. In the Microsoft Entra admin center, navigate to Global Secure Access > Secure > Security profiles > Baseline profile.
  3. Sign in to your test device and attempt to access the blocked site.
  4. View activity in the traffic log to confirm entries for your target FQDN show as blocked. If necessary, use Add filter to filter results on User principal name of your test user.

Block a group from accessing websites based on category

  1. Create a web content filtering policy that includes rules to block a web category. For example, create a rule that blocks the Social Networking category to block all social media sites.
  2. Create a security profile to group and prioritize your web content filtering policies. Link the web content filtering policy to this profile.
  3. Create a Conditional Access policy to apply the security profile to your users.
  4. Sign in to your test device and attempt to access a blocked site. You should see DeniedTraffic for http websites and a Can't reach this page notification for https websites. It can take up to 90 minutes for a newly assigned policy to take effect. It can take up to 20 minutes for changes to an existing policy to take effect.
  5. View activity in the traffic log to confirm entries for your target FQDN show as blocked. If necessary, use Add filter to filter results on User principal name of your test user.

Block a group from accessing websites based on FQDN

  1. Create a web content filtering policy that includes rules to block an FQDN (not URL).
  2. Create a security profile to group and prioritize your web content filtering policies. Link the web content filtering policy to this profile.
  3. Create a Conditional Access policy to apply the security profile to your users.
  4. Sign in to your test device and attempt to access the blocked FQDN. You should see DeniedTraffic for http websites and a Can't reach this page notification for https websites. It can take up to 90 minutes for a newly assigned policy to take effect. It can take up to 20 minutes for changes to an existing policy to take effect.
  5. View activity in the traffic log to confirm entries for your target FQDN show as blocked. If necessary, use Add filter to filter results on User principal name of your test user.

Allow a user to access a blocked website

  1. Create a web content filtering policy that includes a rule to allow an FQDN.
  2. Create a security profile to group and prioritize your web content filtering policies. Give this allowed profile a higher priority than the block profile. For example, if the block profile is set to priority 500, set the allowed profile to 400.
  3. Create a Conditional Access policy to apply the security profile to the users that you want to allow access to the blocked FQDN.
  4. Sign in to your test device and attempt to access the allowed FQDN. It can take up to 90 minutes for a newly assigned policy to take effect. It can take up to 20 minutes for changes to an existing policy to take effect.
  5. View activity in the traffic log to confirm entries for your target FQDN show as allowed. If necessary, use Add filter to filter results on User principal name of your test user.

Enable and manage the Microsoft traffic forwarding profile

The ability to secure Microsoft traffic is a key feature of Microsoft Entra Internet Access. It enables you to quickly deploy an automatically configured Microsoft traffic profile that includes traffic forwarding rules. These rules can allow you to secure and monitor Microsoft traffic (such as SharePoint Online and Exchange Online) and authentication traffic for any application integrated with Microsoft Entra ID. There are known limitations.

  1. Enable the Microsoft traffic profile.
  2. Assign users and groups to the profile.
  3. If desired, configure Conditional Access policies to enforce compliant network check.
  4. Sign in to your test device and attempt to access SharePoint Online and Exchange Online.
  5. View activity in the traffic log to confirm that Global Secure Access enabled access. Verify in the sign-in logs that Through Global Secure Access shows as Yes.

Implement Universal Tenant Restrictions

Universal Tenant Restrictions enable you to control access to external tenants by unmanaged identities on company-managed devices and networks. You can enforce this restriction at the authentication plane with Tenant Restrictions v1, either blocking or allowing all traffic to an external tenant. However, this scenario usually requires hair-pinning traffic to a corporate network proxy. With Universal Tenant Restrictions, organizations can restrict access on a per application level, extend protection to the data plane (in addition to the authentication plane), and eliminate the need to hair-pin traffic reducing network latency.

After you enable the Microsoft traffic profile, follow these steps to implement Universal Tenant Restrictions:

  1. Set up tenant restrictions v2. If your organization currently uses Tenant Restrictions v1, review the TRv2 migration guide.
  2. Enable Global Secure Access signaling for tenant restrictions.
  3. Sign in to your test device and attempt to access a different tenant's SharePoint Online or Exchange Online resource for which you have valid credentials.
  4. Validate authentication plane protection.
  5. Validate data plane protection.

Troubleshooting

If you run into issues during your PoC, these articles can help you with troubleshooting, logging, and monitoring:

Next steps