Rediger

Del via

Microsoft Global Secure Access proof-of-concept guidance: Configure Microsoft Entra Internet Access

  • Artikkel

The proof-of-concept (PoC) guidance in this series of articles helps you to learn, deploy, and test Microsoft Global Secure Access with Microsoft Entra Internet Access, Microsoft Entra Private Access, and the Microsoft traffic profile.

Detailed guidance begins with Introduction to Microsoft Global Secure Access proof-of-concept guidance, continues with Configure Microsoft Entra Private Access, and concludes with this article.

This article helps you to configure Microsoft Entra Internet Access to act as a secure web gateway. This solution enables you to configure policies for filtering web content to allow or block internet traffic. You can then group those policies into security profiles that you apply to your users through Conditional Access policies.

Note

Apply rules and policies in order of priority. For detailed guidance, refer to Policy processing logic.

Configure Microsoft Entra Internet Access

To configure Microsoft Entra Internet Access, see How to configure Global Secure Access web content filtering. It provides guidance to perform these high-level steps:

  1. Enable internet traffic forwarding.
  2. Create a policy for filtering web content.
  3. Create a security profile.
  4. Link the security profile to a Conditional Access policy.
  5. Assign users or groups to the traffic forwarding profile.

Configure use cases

Configure and test Microsoft Entra Internet Access use cases with web content filtering policies, security profiles, and Conditional Access policies. The following sections provide example use cases with specific guidance.

Note

Microsoft doesn't currently support blocking and allowing URLs because it requires Transport Layer Security (TLS) inspection, which isn't yet available.

Create a baseline profile that applies to all internet traffic routed through the service

Perform the following steps to use a baseline profile to help secure all traffic in your environment without needing to apply Conditional Access policies:

  1. Create a policy for filtering web content that includes rules to allow or block fully qualified domain names (FQDNs) or web categories across your user base. For example, create a rule that blocks the Social Networking category to block all social media sites.

  2. Link the policy for filtering web content to the baseline profile. In the Microsoft Entra admin center, go to Global Secure Access > Secure > Security profiles > Baseline profile.

  3. Sign in to your test device and try to access the blocked site.

  4. View activity in the traffic log to confirm that entries for your target FQDN show as blocked. If necessary, use Add filter to filter results on User principal name for your test user.

Block a group from accessing websites based on category

  1. Create a policy for filtering web content that includes rules to block a web category. For example, create a rule that blocks the Social Networking category to block all social media sites.

  2. Create a security profile to group and prioritize your policies. Link the policy for filtering web content to this profile.

  3. Create a Conditional Access policy to apply the security profile to your users.

  4. Sign in to your test device and try to access a blocked site. You should see DeniedTraffic for http websites and a Can't reach this page notification for https websites. It can take up to 90 minutes for a newly assigned policy to take effect. It can take up to 20 minutes for changes to an existing policy to take effect.

  5. View activity in the traffic log to confirm that entries for your target FQDN show as blocked. If necessary, use Add filter to filter results on User principal name for your test user.

Block a group from accessing websites based on FQDN

  1. Create a policy for filtering web content that includes rules to block an FQDN (not a URL).

  2. Create a security profile to group and prioritize your policies. Link the policy for filtering web content to this profile.

  3. Create a Conditional Access policy to apply the security profile to your users.

  4. Sign in to your test device and try to access the blocked FQDN. You should see DeniedTraffic for http websites and a Can't reach this page notification for https websites. It can take up to 90 minutes for a newly assigned policy to take effect. It can take up to 20 minutes for changes to an existing policy to take effect.

  5. View activity in the traffic log to confirm that entries for your target FQDN show as blocked. If necessary, use Add filter to filter results on User principal name for your test user.

Allow a user to access a blocked website

  1. Create a policy for filtering web content that includes a rule to allow an FQDN.

  2. Create a security profile to group and prioritize your policies for filtering web content. Give this allowed profile a higher priority than the blocked profile. For example, if the blocked profile is set to priority 500, set the allowed profile to 400.

  3. Create a Conditional Access policy to apply the security profile to the users who need access to the blocked FQDN.

  4. Sign in to your test device and try to access the allowed FQDN. It can take up to 90 minutes for a newly assigned policy to take effect. It can take up to 20 minutes for changes to an existing policy to take effect.

  5. View activity in the traffic log to confirm that entries for your target FQDN show as allowed. If necessary, use Add filter to filter results on User principal name for your test user.

Enable and manage the Microsoft traffic forwarding profile

The ability to help secure Microsoft traffic is a key feature of Microsoft Entra Internet Access. You can quickly deploy an automatically configured Microsoft traffic profile that includes traffic forwarding rules. You can then use these rules to help secure and monitor Microsoft traffic (such as SharePoint Online and Exchange Online) and authentication traffic for any application that's integrated with Microsoft Entra ID. There are known limitations.

  1. Enable the Microsoft traffic profile.

  2. Assign users and groups to the profile.

  3. If desired, configure Conditional Access policies to enforce compliant network checks.

  4. Sign in to your test device and try to access SharePoint Online and Exchange Online.

  5. View activity in the traffic log to confirm that Global Secure Access enabled access. Verify in the sign-in logs that Through Global Secure Access shows as Yes.

Implement universal tenant restrictions

Universal tenant restrictions enable you to control access to external tenants by unmanaged identities on company-managed devices and networks. You can enforce this restriction at the authentication plane with tenant restrictions v1, by either blocking or allowing all traffic to an external tenant.

This scenario usually requires hair-pinning traffic to a corporate network proxy. With universal tenant restrictions, organizations can restrict access on a per-application level, extend protection to the data plane (in addition to the authentication plane), and eliminate the need to hair-pin traffic to reduce network latency.

After you enable the Microsoft traffic profile, follow these steps to implement universal tenant restrictions:

  1. Set up tenant restrictions v2. If your organization currently uses tenant restrictions v1, review the guide for migrating to tenant restrictions v2.

  2. Enable Global Secure Access signaling for tenant restrictions.

  3. Sign in to your test device and try to access a different tenant's SharePoint Online or Exchange Online resource for which you have valid credentials.

  4. Validate authentication plane protection.

  5. Validate data plane protection.

Troubleshoot

If you have problems with your PoC, these articles can help you with troubleshooting, logging, and monitoring:

Related content