I have got my hands on Microsoft Entra Internet Access which is part of the Global Secure Access and Security Service Edge suite. This feature is now in public preview. (❗️ preview means no full support and potential costs can come up, once the feature goes GA, be careful!)
In this post I want to show and summarize you the features and how to get started with it, just sharing my experiences 🚀
With Global Secure Access Internet Access, we now have capabilities of a Secure Web Gateway (SWG) integrated into the Microsoft universe. The core functionalities are:
- Monitor and control 🕵️♂️ http & https traffic from devices with GSA client installed
- Secure access 🔒 to SaaS apps in the Internet with web content filtering policies (categories or FQDN)
🔑 Setup & prerequisites
Ensure the following things as prerequisites:
- Global Secure Access Administrator role
- Entra joined Windows test device
These are the key steps to setup:
- Enable GSA for the tenant (if not already done)
- Enable Internet Access Profile
- Create security profiles & web content filter rules
- Install Global Secure Access Client
- Combine with Conditional Access
✅ Enabling Internet Access Profile
Go to Entra > GSA > Connect > Traffic forwarding and enable the Internet Access on the tenant level as feature
⚙️ Create security profiles & web content filter rules
The effective configuration needs to be done at Entra > GSA >
- Security profiles — policy profiles that are assigned to Conditional Access, these contain rules from web content filtering policies (unique priority defines which one takes precedence)
- Web content filtering policies — policy that contains one or multiple policy rules, can be either set to “allow” or “block”
- Policy rules — Contain web content categories (such as Business, Entertainment, Education and more) or FQDN
The configuration of these is pretty simple, all you need to do is:
- Create a security profile, choose priority (❗️ Priority 65000 means, that the policy is globally applied and is effective when GSA uses Internet traffic, no linking to Conditional Access policies is needed)
- Link existing web content filtering policies or create new ones
- If you create a new one, specify the action type, either “allow” or “block” and create one or multiple rules within it — again you can choose between a predefined category by Microsoft or enter a custom FQDN (supporting wildcards)
🧑💻 Global Secure Access Client
Download the Client, that you need to install on the test device.
Once the client is installed, ensure everything is up & running. Do this via Advanced diagnostics and check the Internet access forwarding profile. Also have a look at the Health check blade, if something goes wrong.
🔐 Combine with Conditional Access
Now to make Internet Access security profiles working, you need to create a Conditional Access policy and link the security profile (that holds the effective configuration.) Go to Entra > Protection > Conditional Access and create a new policy:
Include targeted users & group (use a test group)
Exclude: Breaking Glass admin
- Target resources
Global Secure Access — Internet traffic
- Access control: Session
Use Global Secure Access security profile: choose your profile
Turn the policy on.
In my case the policy applied within 5 minutes. Web content filltering policy rule modifications applied nearly instantly.
Now if I try to access a website that is blocked: we will get a connection reset and fail to access the website.
We also see the events at Entra > GSA > Monitor > Traffic logs
💡 Make use of the filter, such as Action equals block
If you want to have a look to the logs and apply KQL (custom queries) you need to ensure that the NetworkAccessTrafficLogs get forwarded to a Log Analytics Workspace. You can enable this at Entra > Identity > Monitoring & health > Diagnostics settings > add diagnostics setting (or edit existing an existing one)
You can now navigate to your Log Analytics Workspace > Logs and search the data on the table NetworkAccessTraffic
With this query you can analyze all traffic on the internet profile, which was blocked — it groups the URLs so you can identify which have the highest impact.
| where TrafficType == "internet" and Action == "Block"
| summarize count() by DestinationFqdn
🔮 Bonus tip: package Global Secure Access client with Intune
You don’t want to install the Global Secure Access client manually every time. Therefore, we can make use of Intune. Perform these steps to package the app. (⚠️ Remember that you should update the executables or leverage auto-update)
- Download the GSA client and wrap it with Microsoft-Win32-Content-Prep-Tool
2. Upload the generated .intunewin file to Intune at Apps > New
provide at least the name and Publisher, grab the logo
3. Specify the install and uninstall commands
GlobalSecureAccessClient.exe /install /quiet
GlobalSecureAccessClient.exe /uninstall /quiet
4. Specify requirements (latest)
5. Configure the detection rules (others also work or may be better)
Create the app, wait until the contents are uploaded, assign it and let it be installed on the devices.