Microsoft Entra Internet Access — hands-on

I have got my hands on Microsoft Entra Internet Access which is part of the Global Secure Access and Security Service Edge suite. This feature is now in public preview. (❗️ preview means no full support and potential costs can come up, once the feature goes GA, be careful!)

In this post I want to show and summarize you the features and how to get started with it, just sharing my experiences 🚀

Short intro

With Global Secure Access Internet Access, we now have capabilities of a Secure Web Gateway (SWG) integrated into the Microsoft universe. The core functionalities are:

• Monitor and control 🕵️‍♂️ http & https traffic from devices with GSA client installed
• Secure access 🔒 to SaaS apps in the Internet with web content filtering policies (categories or FQDN)

🔑 Setup & prerequisites

Ensure the following things as prerequisites:

• Global Secure Access Administrator role
• Entra joined Windows test device

These are the key steps to setup:

1. Enable GSA for the tenant (if not already done)
2. Enable Internet Access Profile
3. Create security profiles & web content filter rules
4. Install Global Secure Access Client
5. Combine with Conditional Access

✅ Enabling Internet Access Profile

Go to Entra > GSA > Connect > Traffic forwarding and enable the Internet Access on the tenant level as feature

Enable profile

⚙️ Create security profiles & web content filter rules

The effective configuration needs to be done at Entra > GSA >

• Security profiles — policy profiles that are assigned to Conditional Access, these contain rules from web content filtering policies (unique priority defines which one takes precedence)

Security profiles

• Web content filtering policies — policy that contains one or multiple policy rules, can be either set to “allow” or “block”

Web content filtering policies

• Policy rules — Contain web content categories (such as Business, Entertainment, Education and more) or FQDN

Policy rules

The configuration of these is pretty simple, all you need to do is:

1. Create a security profile, choose priority (❗️ Priority 65000 means, that the policy is globally applied and is effective when GSA uses Internet traffic, no linking to Conditional Access policies is needed)
2. Link existing web content filtering policies or create new ones
3. If you create a new one, specify the action type, either “allow” or “block” and create one or multiple rules within it — again you can choose between a predefined category by Microsoft or enter a custom FQDN (supporting wildcards)

🧑‍💻 Global Secure Access Client

Download the Client, that you need to install on the test device.

Download GSA client

Once the client is installed, ensure everything is up & running. Do this via Advanced diagnostics and check the Internet access forwarding profile. Also have a look at the Health check blade, if something goes wrong.

🔐 Combine with Conditional Access

Now to make Internet Access security profiles working, you need to create a Conditional Access policy and link the security profile (that holds the effective configuration.) Go to Entra > Protection > Conditional Access and create a new policy:

• Users

Include targeted users & group (use a test group)

Exclude: Breaking Glass admin

• Target resources

Global Secure Access — Internet traffic

• Conditions

Optional

• Access control: Session

Use Global Secure Access security profile: choose your profile

Turn the policy on.

CA policy example

In my case the policy applied within 5 minutes. Web content filltering policy rule modifications applied nearly instantly.

🔴 Demo

Now if I try to access a website that is blocked: we will get a connection reset and fail to access the website.

Demo

We also see the events at Entra > GSA > Monitor > Traffic logs

💡 Make use of the filter, such as Action equals block

Traffic logs example

🔍 Monitoring

If you want to have a look to the logs and apply KQL (custom queries) you need to ensure that the NetworkAccessTrafficLogs get forwarded to a Log Analytics Workspace. You can enable this at Entra > Identity > Monitoring & health > Diagnostics settings > add diagnostics setting (or edit existing an existing one)

Log forwarding

You can now navigate to your Log Analytics Workspace > Logs and search the data on the table NetworkAccessTraffic

KQL query NetworkAccessTraffic

Example query

With this query you can analyze all traffic on the internet profile, which was blocked — it groups the URLs so you can identify which have the highest impact.

NetworkAccessTraffic
| where TrafficType == "internet" and Action == "Block"
| summarize count() by DestinationFqdn

🔮 Bonus tip: package Global Secure Access client with Intune

You don’t want to install the Global Secure Access client manually every time. Therefore, we can make use of Intune. Perform these steps to package the app. (⚠️ Remember that you should update the executables or leverage auto-update)

1. Download the GSA client and wrap it with Microsoft-Win32-Content-Prep-Tool

Intune content prep tool GSA client

2. Upload the generated .intunewin file to Intune at Apps > New
provide at least the name and Publisher, grab the logo

3. Specify the install and uninstall commands

GlobalSecureAccessClient.exe /install /quiet

GlobalSecureAccessClient.exe /uninstall /quiet

Program

4. Specify requirements (latest)

Requirements

5. Configure the detection rules (others also work or may be better)

Detection rules

Create the app, wait until the contents are uploaded, assign it and let it be installed on the devices.

Read my other stories on:

Microsoft Entra Private Access — secure any app with Conditional Access | by Niklas Tinner | Medium

Introduction to Microsoft Entra Security Service Edge (SSE) (oceanleaf.ch)