Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept

The Microsoft identity-centric Security Service Edge solution converges network and identity access controls so you can secure access to any app or resource from any location, device, or identity. It enables and orchestrates access policy management for employees, business partners, and digital workloads. You can monitor and adjust user access continuously in real time if permissions or risk levels change for private apps, SaaS apps, and Microsoft endpoints.

Protecting enterprise users and managed devices from malicious internet traffic and malware infection concerns all companies. Use Microsoft Entra Internet Access Secure Web Gateway functionality to block traffic based on web categories, and a fully qualified domain name (FQDN), by integrating with Microsoft Entra Conditional Access.

The guidance in this article helps you to deploy Microsoft Entra Internet Access as a proof-of-concept in your production or test environment. It includes setup and configuring web content filtering. You can review prerequisites in the Microsoft's Security Service Edge Solution Deployment Guide Introduction, which includes how to scope your configuration and testing for specific test users and groups.

Deploy and test Microsoft Entra Internet Access

Complete the Configure initial product steps. Learn to enable the Microsoft Entra Internet Access traffic forwarding profile and install the Global Secure Access Client on a test device. For these sample PoC scenarios, you need one test group with one test user as a member.

• Create a baseline policy applying to all internet access traffic routed through the service
• Block a group from accessing websites based on category
• Block a group from accessing websites based on FQDN
• Allow a user to access a blocked website

Sample PoC scenario: Create a baseline policy applying to all internet access traffic routed through the service

Microsoft Internet Access has features to configure a security profile with a priority of 65,000 that applies to all traffic without linking to a Conditional Access policy. Complete the following tasks to create this baseline policy to block an FQDN:

• Configure a block rule for a risky web category by creating a web filtering policy.
• Group and prioritize your web filtering policies by creating a security profile with priority 65,000.
• Use your test user to attempt to access the blocked site to confirm application of your rule.
• Stop the agent and confirm that your test user can access the previously blocked site.
• View activity in the traffic log.

Create a web filtering policy

1. In the Microsoft Entra admin center, go to Global Secure Access > Secure > Web content filtering policies > Create policy > Configure Global Secure Access content filtering.

   

2. On Create a web content filtering policy > Basics, provide the following details.

   • Name: Baseline Internet Access block rule.
   • Description: Add a description.
   • Action: Block.

   

3. Select Next.

4. On Create a web content filtering policy > Policy Rules, select Add Rule.

   

5. In the Add Rule dialog box, provide the following details.

   • Name: Baseline blocked web categories.
   • Destination type: webCategory.
   • Search: Select a few risky categories, confirm they are in the Selected items list.

   

6. Select Add.

7. On Create a web content filtering policy > Policy Rules, confirm your selections.

   

8. Select Next.

9. On Create a web content filtering policy > Review, confirm your policy configuration.

10. Select Create policy.

    

11. To confirm policy creation, view it in the Manage web content filtering policies list.

Create a security policy profile

1. In the Microsoft Entra admin center, go to Global Secure Access > Secure > Security profiles. Select Create profile.

   

2. On Create a profile > Basics, provide the following details.

   • Profile name: Baseline Internet Access Block Profile.
   • Description: Add a description.
   • State: enabled.
   • Priority: 65000.

   

3. Select Next.

4. On Create a profile > Link policies, select Link a policy. Select Existing policy.

   • In the Link a policy dialog box, select Policy name and select Baseline Internet Access block rule.
   • Priority: 100.
   • State: Enabled.

5. Select Add.

6. On Create a profile > Link policies, confirm Baseline Internet Access Block Rule is in the list.

7. Select Next.

8. On Create a profile > Review, confirm your profile configuration.

   

9. Select Create a profile.

Attempt to access blocked sites

1. Sign in to the test device where you installed the global secure access (GSA) agent.

2. In the system tray, right-click Global Secure Access Client. Select Advanced Diagnostics.

   

3. In the Global Secure Access Client - Advanced Diagnostics dialog box, select Traffic.

4. On Network traffic, select Start collecting.

   

5. To confirm blocked access, attempt to open the FQDN you blocked. It can take up to 20 minutes for the policy to apply to your client device.

Stop the agent and confirm restored access

1. On Network traffic, select Stop collecting.

2. Scroll to observe the traffic related to opening the FQDN, and associated data.

   

3. On your test device > System Tray >, expand options > right-click Global Secure Access client. Select Pause.

   

4. After the confirmation notification appears, open the previously blocked site to confirm restored access.

View activity in the traffic log

1. In the Microsoft Entra admin center > Global Secure Access > Monitor, select Traffic logs. If needed, select Add filter. Filter when User principal name contains testuser and Action set to Block.
2. Observe the entries for your target FQDN that show traffic as blocked and then allowed. There may be a delay of up to 20 minutes for entries to appear in the log.

Sample PoC scenario: Block a group from accessing websites based on category

Use Microsoft Entra Internet Access to block or allow access to internet sites based on category. These areas include gambling, alcohol, and tobacco sites. Manually managing blocklists isn't required. Complete the following tasks to configure Microsoft Entra Internet Access to block alcohol and tobacco sites for your test user.

• Configure a block rule for category sites. Create a web filtering policy.
• Group and prioritize your web filtering policies. Create a security profile.
• Configure your test group, with the test user, to use the security profile. Create and assign a Conditional Access policy.
• Confirm rule application by using your test user to attempt to access a blocked site.
• Stop the agent and confirm test user access to the previously blocked site.
• View activity in the traffic log.

Create a web filtering policy

1. In the Microsoft Entra admin center, go to Global Secure Access > Secure > Web content filtering policies > Create policy > Configure Global Secure Access content filtering.

   

2. On Create a web content filtering policy > Basics, provide the following details.

   • Name: Blocking Alcohol and Tobacco.
   • Description: Add a description.
   • Action: Block.

3. Select Next.

4. On Create a web content filtering policy > Policy Rules, select Add Rule.

5. In the Add Rule dialog box, provide the following details.

   • Name: Alcohol and Tobacco.
   • Destination type: webCategory.
   • Search: Alcohol.
   • Select Alcohol and Tobacco.

6. Select Add.

7. On Create a web content filtering policy > Policy Rules, select Next.

8. On Create a web content filtering policy > Review, confirm your policy configuration.

   

9. Select Create policy.

10. To confirm policy creation, view it in the Manage web content filtering policies list.

    

Create a security policy profile

1. In the Microsoft Entra admin center, go to Global Secure Access > Secure > Security profiles. Select Create profile.

   

2. On Create a profile > Basics, provide the following details.

   • Profile name: Internet Access Profile.
   • Description: Add a description.
   • State: enabled.
   • Priority: 1000.

3. Select Next.

4. On Create a profile > Link policies, select Link a policy.

5. Select Existing policy.

6. In the Link a policy dialog box, provide the following details.

   • Policy name: Blocking Alcohol and Tobacco.
   • Priority: 1000.
   • State: Enabled.

7. Select Add.

8. On Create a profile > Link policies, confirm Blocking Alcohol and Tobacco in list.

9. Select Next.

10. On Create a profile > Review, confirm your profile configuration.

    

11. Select Create a profile.

Create a Conditional Access policy

1. In the Microsoft Entra admin center, go to Protection > Conditional Access. Select Create new policy.

2. In the New Conditional Access Policy dialog box, configure the following details.

   • Name: Internet Access Policy.
   • Users or workload identities: Specific users included.
   • What does this policy apply to? Users and groups.
   • Include > Select users and groups > Select Users and groups.

3. Select your test group > click Select.

   

4. Target resources.

   • Select what this policy applies to > Global Secure Access.
   • Select the traffic profiles this policy applies to > Internet traffic.

   

5. Leave the Grant control at default to grant access so that your defined security profile defines block functionality.

6. In the Session dialog box, select Use Global Secure Access security profile.

7. Select Internet Access Profile.

   

8. In Conditional Access Overview > Enable policy, select On. Select Create.

Attempt to access blocked sites

1. Sign in to your test device where you installed the GSA agent.

2. In the system tray, right-click Global Secure Access Client. Select Advanced Diagnostics.

   

3. In the Global Secure Access Client - Advanced Diagnostics dialog box, select Traffic.

4. On Network traffic, select Start collecting.

   

5. Attempt to open an alcohol or tobacco site to confirm blocked access. You should see DeniedTraffic for http websites and a Can't reach this page notification for https websites. It can take up to 20 minutes for the policy to apply to your client device.

Stop the agent and confirm restored access

1. On Network traffic, select Stop collecting.

2. Scroll to observe the traffic related to opening the FQDN and associated data. Note the Internet Access in the Channel columns. Conditional Access policies are written as claims to your token that have a one-hour lifetime. It can take up to one hour for new Conditional Access policies to apply to your client device. Because changes propagate across Microsoft Entra, it can take up to 20 minutes for web-filtering policy and security-profile changes to apply to your client device.

   

3. On your test device > System Tray >, expand options > right-click Global Secure Access client. Select Pause.

   

4. After confirmation notification appears, open the previously blocked site to confirm restored access. Functionality to access the GSA client menu is administratively controllable when the product moves to General Availability.

View activity in the traffic log

1. In the Microsoft Entra admin center > Global Secure Access > Monitor, select Traffic logs.
2. If needed, select Add filter. Filter when User principal name contains testuser and Action set to Block.
3. Observe the entries for your target FQDN that show traffic as blocked and then allowed. There can be a delay of up to 20 minutes for entries to appear in the log.

Sample PoC scenario: Block a group from accessing websites based on FQDN

In some cases, it's necessary to block specific websites rather than using broad web categories. Complete the following tasks to block access to the site based on FQDN. Ensure you include relevant fully qualified domain names (FQDNs) in use by the site that you want to block.

• Configure a block rule for a specific FQDN. Create a web filtering policy.
• Group and prioritize your web filtering policies. Create a security profile.
• Configure your test group (the user is a member) to use the security profile. Create and assign a Conditional Access policy.
• Confirm rule application by using your test user to attempt to access a blocked site.
• Stop the agent and confirm test user access to the previously blocked site.
• View activity in the traffic log.

Create a web filtering policy

1. In the Microsoft Entra admin center, go to Global Secure Access > Secure > Web content filtering policies > Create policy > Configure Global Secure Access content filtering.

   

2. On Create a web content filtering policy > Basics, provide the following details.

   • Name: Blocking test FQDN.
   • Description: Add a description.
   • Action: Block.

3. Select Next.

4. On Create a web content filtering policy > Policy Rules, select Add Rule.

5. In the Add Rule dialog box, provide the following details.

   • Name: Enter the name, such as Block test FQDN.
   • Destination type: FQDN.
   • Destination: enter the test FQDN in the format *.domainname.com or domainname.com.

6. Select Add.

7. On Create a web content filtering policy > Policy Rules, confirm your selections.

8. Select Next.

9. On Create a web content filtering policy > Review, confirm your policy configuration.

   

10. Select Create policy.

11. To confirm policy creation, view it in the Manage web content filtering policies list.

Create a security policy profile

1. In the Microsoft Entra admin center, go to Global Secure Access > Secure > Security profiles. Select Create profile.

   

2. On Create a profile > Basics, provide the following details.

   • Profile name: Block FQDNs Internet Access Profile.
   • Description: Add a description.
   • State: enabled. *Priority: 2000.

3. Select Next.

4. On Create a profile > Link policies, select Link a policy.

5. Select Existing policy.

6. In the Link a policy dialog box, provide the following details.

   • Policy name: Blocking test FQDN.
   • Priority: 100.
   • State: Enabled.

7. Select Add.

8. On the Link policies tab, confirm Blocking test FQDN in list.

9. Select Next.

10. On the Review tab, confirm your profile configuration.

    

11. Select Create a profile.

Create a Conditional Access policy

1. In the Microsoft Entra admin center, go to Protection > Conditional Access. Select Create new policy.

2. In the New Conditional Access Policy dialog box, configure the following.

   • Name: FQDN Internet Access Policy.
   • Users or workload identities: Specific users included.
   • What does this policy apply to? Users and groups.
   • Include > Select users and groups > Select Users and groups.
   • Select your test group. Click Select.

   

3. Target resources > Select what this policy applies to > Global Secure Access.

4. Select the traffic profiles this policy applies to > Internet traffic.

   

5. In the Session dialog box, select Block FQDNs Internet Access Profile. Select Internet Access Profile.

6. In Conditional Access Overview > Enable policy, select On. Select Create.

   

Attempt to access blocked sites

1. Sign in to your test device where you installed the GSA agent.

2. In the System Tray, right-click Global Secure Access Client. Select Advanced Diagnostics.

   

3. In the Global Secure Access Client - Advanced Diagnostics dialog box, select Traffic.

4. On Network traffic, select Start collecting.

   

5. Attempt to open the FQDN you configured to confirm blocked access. You should see Access Denied for http websites and Can't reach this page notification for https websites. It can take up to 20 minutes for the policy to apply to your client device.

Stop the agent and confirm restored access

1. On Network traffic, select Stop collecting.

2. Scroll to observe the traffic related to opening the FQDN, and associated data.

   

3. On your test device > System Tray >, expand options > right-click Global Secure Access client. Select Pause.

   

4. After the confirmation notification appears, open the previously blocked site to confirm restored access.

View activity in the traffic log

1. In the Microsoft Entra admin center > Global Secure Access > Monitor, select Traffic logs.
2. If needed, select Add filter. Filter when User principal name contains testuser and Action set to Block.
3. Observe the entries for your target FQDN that show traffic as blocked and then allowed. There can be a delay of up to 20 minutes for entries to appear in the log.

Sample PoC scenario: Allow a user to access a blocked website

In some cases, you might have users that require access to blocked sites for groups in which the user is a member. Complete the following tasks to override a block configured for your test group, so the test user can access the blocked site.

• Configure an allow rule for the same FQDN that you blocked in the previous scenario. Create a web filtering policy.
• Group and prioritize your web filtering policies. Create a security profile with a higher priority than the block policy created previously.
• Configure your test user to use the security profile. Create and assign a Conditional Access policy.
• Confirm rule application by using your test user to attempt to access a blocked site.
• Stop the agent and confirm test user access to the previously blocked site.
• View activity in the traffic log.

Create a web filtering policy

1. In the Microsoft Entra admin center, go to Global Secure Access > Secure > Web content filtering policies > Create policy > Configure Global Secure Access content filtering.

   

2. On Create a web content filtering policy > Basics, provide the following details.

   • Name: Allow test FQDN.
   • Description: Add a description.
   • Action: Allow.

3. Select Next.

4. On Create a web content filtering policy > Policy Rules, select Add Rule.

5. In the Add Rule dialog box, provide the following details. Select Add.

   • Name: Enter a name, such as Allow FQDN Override.
   • Destination type: FQDN.
   • Destination: enter the FQDN in the format *.domainname.com or domain.com. Select Add.

6. On Create a web content filtering policy > Policy Rules, confirm your selections.

7. Select Next.

8. On Create a web content filtering policy > Review, confirm your policy configuration.

   

9. Select Create policy.

10. To confirm policy creation, view it in the Manage web content filtering policies list.

Create a security policy profile

1. In the Microsoft Entra admin center, go to Global Secure Access > Secure > Security profiles. Select Create profile.

   ](media/sse-deployment-guide-internet-access/security-profiles-expanded.png#lightbox)

2. On Create a profile > Basics, provide the following details.

   • Profile name: Allow FQDNs Internet Access Profile.
   • Description: Add a description.
   • State: enabled.
   • Priority: 500.

3. Select Next.

4. On Create a profile > Link policies, select Link a policy.

5. Select Existing policy.

6. In the Link a policy dialog box, provide the following details.

   • Policy name: Allow test FQDN.
   • Priority: 100.
   • State: Enabled.

7. Select Add.

8. On Create a profile > Link policies, confirm Allow test FQDN in list.

9. Select Next.

10. On the Review tab, confirm your profile configuration.

    

11. Select Create a profile.

Create a Conditional Access policy

1. In the Microsoft Entra admin center, go to Protection > Conditional Access. Select Create new policy.

2. In the New Conditional Access Policy dialog box, configure the following.

   • Name: FQDN Exception Override IA Policy.
   • Users or workload identities: Specific users included.
   • What does this policy apply to? Users and groups.
   • Include > Select users and groups > Select Users and groups.
   • Select your test group. Click Select.

   

3. Target resources > Select what this policy applies to > Global Secure Access.

4. Select the traffic profiles this policy applies to > Internet traffic.

   

5. Session > select Use Global Secure Access security profile, select Allow FQDNs Internet Access Profile. Click Select.

6. In Conditional Access Overview > Enable policy, select On. Select Create.

   

Attempt to access blocked sites

1. Sign in to your test device where you installed the GSA agent.

2. In the System Tray, right-click Global Secure Access Client. Select Advanced Diagnostics.

   

3. In the Global Secure Access Client - Advanced Diagnostics dialog box, select Traffic.

4. On Network traffic, select Start collecting.

   

5. To confirm access for this specific user, attempt to open the FQDN that you configured as an exception. It can take up to 20 minutes for the policy to apply to your client device.

Stop the agent and confirm restored access

1. On Network traffic, select Stop collecting.
2. Scroll to observe the traffic related to opening the FQDN.

View activity in the traffic log

1. In the Microsoft Entra admin center > Global Secure Access > Monitor, select Traffic logs. If needed, select Add filter. Filter when User principal name contains testuser and Action set to Block.
2. Observe the entries for your target FQDN that show traffic as blocked and then allowed. There can be a delay of up to 20 minutes for entries to appear in the log.

Next steps

• Introduction to Microsoft's Security Service Edge Solution Deployment Guide for Proof of Concept
• Deploy and verify Microsoft Entra Private Access
• Deploy and verify Microsoft Entra Internet Access for Microsoft Traffic