Share via

How to enable “All internet traffic” in Microsoft Entra Internet Access

Jon Mihajlovski 0 Reputation points
2025-05-02T22:00:32.82+00:00

We are testing Microsoft Entra Global Secure Access and need to route all outbound internet traffic through GSA. Our current profile only applies to Microsoft 365 traffic. How do we enable full internet traffic tunneling in our tenant?

Microsoft Entra Internet Access
Microsoft Entra Internet Access
A Microsoft Entra service that provides an identity-centric Secure Web Gateway that protects access to internet, software as a service (SaaS), and Microsoft 365 apps and resources.
55 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sanoop M 3,075 Reputation points Microsoft External Staff Moderator
    2025-05-05T03:07:24.28+00:00

    Hello @Jon Mihajlovski,

    I understand that you are testing Microsoft Entra Global Secure Access and need to route all outbound internet traffic through GSA. Your current profile only applies to Microsoft 365 traffic. You need guidance in how to enable full internet traffic tunneling in your tenant?

    Traffic forwarding

    Traffic forwarding enables you to configure the type of network traffic to tunnel through the Microsoft Entra Private Access and Microsoft Entra Internet Access services. You set up profiles to manage how specific types of traffic are managed.

    When traffic comes through Global Secure Access, the service evaluates the type of traffic first through the Microsoft access profile, then through the Private access profile, and finally through the Internet access profile. Any traffic that doesn't match these three profiles isn't forwarded to Global Secure Access.

    For each traffic forwarding profile, you can configure:

    • Which users receive the traffic forwarding profile and how your users connect to the service
    • Which traffic to forward to the service
    • What Conditional Access policies to apply

    Internet access

    With the internet access profile, you can route traffic to the public internet, including traffic to SaaS apps. This traffic forwarding profile consists of a prepopulated list of regular expressions for fully qualified domain names (FQDNs) and IP addresses representing the public internet.

    Note:

    Internet access profile does not include internet destinations that are available in the Microsoft traffic profile. For complete coverage, we recommend that you enable the Microsoft traffic profile together with the Internet access profile.

    Internet access traffic can be forwarded to the service by connecting through the Global Secure Access desktop client.

    Licensing

    Internet access profile requires the following licenses:

    • Microsoft Entra ID P1 or P2 (prerequisite).
    • Microsoft Entra Internet Access or Microsoft Entra Suite.

    Prerequisites

    To enable the Internet Access forwarding profile for your tenant, you must have:

    Enable the Internet Access traffic forwarding profile

    To enable the Microsoft Entra Internet Access forwarding profile to forward user traffic:

    1. Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
    2. Browse to Global Secure Access > Connect > Traffic forwarding.
    3. Set policies on the traffic profile. For example, set a custom bypass rule to exclude specific traffic.
    4. Enable the Internet access profile. Internet traffic starts forwarding from all client devices to Microsoft's Security Service Edge (SSE) proxy, where you configure granular security policies.

    Please refer to the below Screenshot for your reference.

    User's image

    Note:

    When you enable the Internet Access forwarding profile, you should also enable the Microsoft traffic forwarding profile for optimal routing of Microsoft traffic. You enable the Microsoft traffic profile by selecting the profile checkbox on the same page where you enable the Internet Access traffic forwarding profile.

    Validate the Internet Access traffic forwarding profile

    A rule added to a policy takes 10-20 minutes to appear in the client on a user's computer. If the rule doesn't appear after this time, disable and then re-enable the Internet Access traffic forwarding profile.

    To validate the traffic forwarding profile, traffic forwarding policies, and rules:

    1. In the system tray, right click the Global Secure Access client and select Advanced diagnostics.
    2. Open a web browser and navigate to a destination on the internal network. Confirm that traffic isn't being captured.
    3. Open a web browser and navigate to a destination that is bypassed. Confirm that traffic isn't being captured.
    4. Open a web browser and navigate to a public destination that is acquired by the profile. Confirm the traffic is being acquired under the Internet channel.

    Please refer to the below documents if you have any queries.

    Global Secure Access traffic forwarding profiles - Global Secure Access | Microsoft Learn

    How to manage the Internet Access profile - Global Secure Access | Microsoft Learn

    Assign users and groups to traffic forwarding profiles - Global Secure Access | Microsoft Learn

    I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.