Edit

Tutorial: Enable TLS inspection

Transport Layer Security (TLS) inspection in Microsoft Entra Internet Access lets you decrypt and inspect encrypted traffic at service edge locations. This feature lets Global Secure Access (GSA) apply advanced security controls like threat detection, more granular web content filtering, and other content controls. TLS inspection also enables GSA to provide a custom, user-friendly error message, such as when a user is blocked because of web content filtering.

In this tutorial, you learn how to:

  • Create the TLS termination certificate for TLS inspection.
  • Create and configure a TLS inspection policy.
  • Link the TLS inspection policy to a security profile.
  • Assign the security profile via Microsoft Entra Conditional Access.
  • Verify TLS inspection on the client.

Key concepts

Why is TLS inspection necessary?

Over 95% of web traffic today is encrypted with HTTPS/TLS. Without TLS inspection, security tools can only see the:

  • Destination IP address.
  • Server name indication (SNI), which is the fully qualified domain name (FQDN) from the TLS handshake.

With TLS inspection enabled, security tools can see the:

  • Full URL paths (for example, /images and /downloads/malware.exe).
  • Request and response content.
  • File uploads and downloads.
  • Web page content for categorization.

How does TLS inspection work?

Here's the flow of traffic:

  1. The client establishes TLS connection to security service edge (SSE).
  2. SSE establishes separate TLS connection to destination.
  3. SSE decrypts, inspects, and reencrypts traffic.
  4. The client sees a certificate signed by your enterprise certificate authority (CA).
  5. If allowed by policy, SSE forwards the traffic to the original destination server.
User → GSA Client → SSE Proxy → Destination Server
                         │
                   [TLS Terminated]
                   [Content Inspected]
                   [Re-encrypted with Enterprise CA cert]
                   [Forwarded to destination]

Objective

In this tutorial, you create and enable a TLS inspection policy. You keep the system-generated bypass rules at their default values. You then verify that TLS inspection is occurring as expected.

Sample walkthrough videos

The following video demonstrates how to configure TLS inspection.

The following video demonstrates more TLS inspection configuration.

The following video demonstrates how to verify TLS inspection.

Step 1: Create a TLS termination CA certificate

Creating a TLS termination CA certificate involves generating a certificate signing request (CSR), signing it, and uploading the signed certificate. The TLS termination CA certificate is used to issue short-lived leaf certificates for the website being accessed.

Step 1.1: Generate a CSR

To create a CSR and upload the signed certificate for TLS termination:

  1. Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.

  2. Browse to Global Secure Access > Secure > TLS inspection policies.

  3. Switch to the TLS inspection settings tab.

  4. Select + Create certificate. This step starts with generating a CSR.

  5. In the Create certificate pane, fill in the following fields:

    • Certificate name: The certificate name appears in the certificate hierarchy when you view it in a browser. It must be unique, contain no spaces, and be no more than 12 characters long. You can't reuse previous names.
    • Common name: The common name, for example, Contoso TLS ICA, that identifies the intermediate certificate.
    • Organization name: The organization name, for example, Contoso IT.

  6. Select Create CSR. This step creates a .csr file and saves it to your default download folder.

    Screenshot that shows creating a certificate.

Step 1.2: Sign the CSR

Sign the CSR by using your self-signed certificate or private key infrastructure (PKI) service.

If you create your own certificate without using the provided samples, make sure that Server Auth is in Extended Key Usage and certificate authority (CA)=true, keyCertSign, cRLSign, and basicConstraints=critical,CA:TRUE are in Basic Extension. Save the signed certificate in .pem format.

Step 1.3: Upload the signed certificate for TLS termination

After you have your certificate and chain .pem files, upload the signed certificate for TLS termination.

  1. Select + Upload certificate.

  2. On the Upload certificate form, upload the signedcertificate.pem and rootCAchain.pem files.

  3. Select Upload signed certificate.

    Screenshot that shows uploading the certificate.

  4. Next to the certificate, select the ellipsis (three dots) under the Actions column, and then select Enable.

    Screenshot that shows the enable action for the certificate.

  5. After you enable the certificate, the status changes from Enrolling to Active. This step might take a few minutes.

    Screenshot that shows the certificate with Active status.

Step 2: Create a TLS inspection policy

To create a TLS inspection policy:

  1. In the Microsoft Entra admin center, browse to Secure > TLS inspection policies.

  2. Select Create policy.

  3. Enter a name and a description (optional), and then set Action to Inspect.

  4. Select Next.

    By setting the default action to Inspect, all traffic is TLS inspected unless it matches a bypass rule that you or the system generates. When you create a TLS inspection policy, the system automatically generates two rules. The first rule is a system rule that automatically bypasses destinations that Microsoft knows are incompatible with TLS inspection. The second rule is a recommended bypass list that bypasses TLS inspection for specific categories that users might consider sensitive or private. You can edit this rule later.

    You can view the system-generated rules after you create the TLS inspection policy by selecting Edit on the policy.

    Screenshot that shows the TLS inspection policy rules.

  5. Select Next.

  6. Select Submit.

  1. Browse to Global Secure Access > Secure > Security profiles.
  2. Select Create profile.
  3. Enter a name and description for the policy and select Next.
  4. Select Link a policy and then select Existing TLS inspection policies.
  5. Select the TLS inspection policy that you created and select Add.
  6. Select Next.
  7. Select Create a profile.

Step 4: Assign the security profile via Conditional Access

  1. Browse to Entra ID > Conditional Access.
  2. Select Create new policy.
  3. Enter a name and assign a user or group.
  4. Select Target resources, and then select All internet resources with Global Secure Access.
  5. Select Session > Use Global Secure Access security profile and choose the security profile that you created in step 3.
  6. Select Select.
  7. In the Enable policy section, ensure that On is selected.
  8. Select Create.

It might take up to an hour for the security profile to take effect after Conditional Access assigns it.

Step 5: Verify TLS inspection on the client

To verify that TLS inspection is occurring properly:

  1. Make sure the user device has the rootCAchain.pem file installed in the Trusted Root Certification Authorities folder.

    • On Windows 11, open Manage user certificates.
    • Select Trusted Root Certification Authorities, and then right-click Certificates.
    • Select Import (it might be located under All Tasks).
    • Follow the import wizard to select and import the rootCAchain.pem file.

  2. Open a browser on a client device and test various websites, such as www.google.com. Inspect the certificate information and confirm the GSA certificate.

    Note

    Microsoft traffic bypasses the Internet Access tunnel, which means that TLS inspection isn't applied to most Microsoft applications. Be sure to browse to a non-Microsoft website before you verify that TLS inspection is configured properly.

To check the certificate on the Microsoft Edge browser:

  1. Select the lock icon next to the web URL.

    Screenshot that shows the lock icon next to the URL.

  2. Select Connection is secure.

  3. Select the certificate icon.

    Screenshot that shows Connection is secure and the certificate icon.

  4. Verify that the common name says Microsoft Global Secure Access Intermediate.

    Screenshot that shows certificate verification.

What you learned

In this exercise, you accomplished the following tasks:

  • Created a certificate hierarchy: You generated a CSR, signed it with a root CA, and uploaded both certificates to GSA. You established the trust chain that you need for TLS inspection.
  • Understood bypass rules: You learned that some destinations are incompatible with TLS inspection, such as certificate pinning or mutual TLS, or are privacy sensitive, such as banking or healthcare. The system automatically bypasses some destinations by default.
  • Created a security profile with Conditional Access: You learned that unlike the baseline profile (which applies to everyone), this security profile uses Conditional Access to target specific users to allow for phased rollouts.
  • Distributed the root CA certificate: You learned that for clients to trust the re-encrypted traffic, they need the root CA certificate in their trusted store.

Deep dive: The certificate chain

 ┌─────────────────────────────┐
 │     Your root CA            │  ← Deployed to client trusted store
 │   (rootCAchain.pem)         │
 └─────────────┬───────────────┘
               │
               ▼ Signs
 ┌─────────────────────────────┐
 │  GSA intermediate CA        │  ← Uploaded to GSA (signed certificate)
 │  (signedcertificate.pem)    │
 └─────────────┬───────────────┘
               │
               ▼ Signs (dynamically)
 ┌─────────────────────────────┐
 │   Leaf certificates         │  ← Generated on-the-fly for each site
 │   (www.google.com, etc.)    │
 └─────────────────────────────┘

Security considerations

  • Protect your root CA private key because attackers could forge certificates if it's compromised.
  • Consider using a dedicated CA for TLS inspection, not your production PKI (common industry guidance).
  • Audit bypass rules regularly to ensure that sensitive sites remain protected.

What's next

With TLS inspection enabled, you can now create URL-based filtering rules (not just fully qualified domain names). You can also provide custom block messages to users.

Next step

Tutorial: Configure URL filtering

  • Last updated on